ReursorAuth scope /0 problem

[mglants]

• Program: Recursor
• Issue type: Bug report

Short description

I have recursor --> pdns auth(with views enabled)
ClientIP is passed via EDNS
The problem is first request from 127.0.0.1 for domain is cached, and if client for different View (internal) 10.0.0.0/8 is asking for record Recursor responds with cached request for wrong view

Recursor config

  incoming:
    listen:
      - 0.0.0.0
    port: 54
    allow_from:
      - 0.0.0.0/0
    use_incoming_edns_subnet: true
  recordcache:
    max_ttl: 86400
    max_negative_ttl: 10
  packetcache:
    disable: true
  outgoing:
    edns_subnet_allow_list:
      - 0.0.0.0/0
  ecs:
    add_for:
      - 0.0.0.0/0
    ipv4_cache_bits: 24
    ipv4_bits: 24 

Auth Config

  cache-ttl: "0"
  negquery-cache-ttl: "0"
  query-cache-ttl: "0"
  views: "yes"
  zone-cache-refresh-interval: "300"
  edns-subnet-processing: "yes"

Environment

• Operating system: Ubuntu 22.04 LTS
• Software version: PowerDNS 5.0.2, Recursor 5.3.4
• Software source: PowerDNS repository

Steps to reproduce

1. Create zone example.com
2. Create view for example.com_internal - subnet 10.0.0.0/8
3. Create record test.example.com - A 10.0.0.1 for default zone view (0.0.0.0/0)
4. Create record test.example.com A 10.0.0.2 for _internal zone view (10.0.0.0/8)

Expected behaviour

1. Ask record for test.example.com from 127.0.0.1 - getting 10.0.0.1 as expected
2. Ask record for test.example.com from 10.14.0.1 - getting 10.0.0.2 as expected

Actual behaviour

1. Ask record for test.example.com from 127.0.0.1 - getting 10.0.0.1 as expected
2. Ask record for test.example.com from 10.14.0.1 - getting 10.0.0.1 (cached) should answer 10.0.0.2
3. Cache expires ask test.example.com from 10.14.0.1 - getting 10.0.0.2 as expected
4. Ask record for test.example.com from 127.0.0.1 - getting 10.0.0.1 as expected... becase it first got not /0 scope

Other information

If i ask PDNS Auth directly - it answers as expected
I think the problem is PDNS Auth returns CLIENT-SUBNET for default view as scope /0, so Recursor cache it and answer for all clients
tried ipv4_never_cache still cache default view if first answered

[omoerbeek]

Lets first double check if rec produces the right answer for 10.14.0.1 after step 4? This is to confirm that if both scopes are cached, it should find the more specific one.

On a side note: ecs.add_for for all targets is not recommended. There are many auths on the public internet that do not handle ECS correctly. ECS is also a big burden on the cache and other resources. Only use it for auths where it actually provides an observed benefit.

[rgacogne]

I think the problem is PDNS Auth returns CLIENT-SUBNET for default view as scope /0, so Recursor cache it and answer for all clients

I have not confirmed this, but that would be a problem indeed.

[mglants]

Lets first double check if rec produces the right answer for 10.14.0.1 after step 4? This is to confirm that if both scopes are cached, it should find the more specific one.

On a side note: ecs.add_for for all targets is not recommended. There are many auths on the public internet that do not handle ECS correctly. ECS is also a big burden on the cache and other resources. Only use it for auths where it actually provides an observed benefit.

ecs.add_for changed to local clients only, but external /0 scope response is still cached first and answers for all clients

for your question regarding step 4 if ipv4_never_cache: false - and first client who ask is local client in internal view - it's caches as expected, and respond valid anaswers for both external and internal clients if ipv4_never_cache: true - its not working well, and respond with /0 scope address after any response with /0 scope

[mglants]

I found a workaround, but it's way too bad:
Recursor:

  ecs:
    scope_zero_address: 127.0.0.2
    add_for:
      - 127.0.0.0/8
      - 10.0.0.0/8
      - 169.254.0.0/16
      - 192.168.0.0/16
      - 172.16.0.0/12

Auth

Create external network 127.0.0.2/32 
Map view of example.com to external network