Making Debian Strech's PowerDNS 4.0 EDNS compliant for DNS flag day
If you are running PowerDNS authoritative Server 4.0.x (shipped with Debian Stretch), you might get warnings about EDNS compliance for preparation on DNS flag day – Here's how to fix it :-)
A short word about ISC and PowerDNS
The ISC blog states, that PowerDNS authoritative server since Version 4.1 is fully compliant.
Version 4.0 is prone to minor problems with EDNS compliance when run in default config – or "in some corner cases" as ISC says:
PowerDNS recursor 4.2 (to be released soon) will be the first one to no longer accommodate non-compliance.
On the authoritative side, PowerDNS 4.1 is fully compliant; 4.0 has some corner cases that ednscomp notices but that are not a problem in practice – disabling caching removes those edge cases.
Quick fix: Disabling PacketCache
By default, PowerDNS uses a packet cache which improves performance, when answering to identical questions.
Unfortunately, it breaks EDNS compliance. If you have not that much queries and a backend, which is respodning fast enough you might want
to disable that packet cache in your pdns.conf, which defaults to a TTL of 20 seconds if not explicitly configured.
To disable that cache add the following directive to your pdns.conf file:
cache-ttl=0Yes, that's all. Then reload your PDNS service to apply your changes.
(Source of this hint: PowerDNS mailing list)
Disabling the PacketCache might lead to degraded performance on servers with heavy load and/or slow backends.
I did not notice any performance penalties, but if you do on your system, you might want to leave that cache enabled.
As ISC says, this bug is not a big problem and should not affect name resolution at all.
If that's not an option either, you might want to switch to PowerDNS >= 4.1 (i.e. by using PowerDNS' repositories) and fix that bug with an upgrade ;-)
Zur Übersicht | Impressum
Letzte Änderung / Last change: Sunday, 27-Jan-2019 04:46:41 CET