[Pdns-users] CNAME and SOA-Problem

Günter Weber docc at webersheim.de
Tue Jul 22 17:24:23 UTC 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I once wrote about my problem with pdns 2.9.10 and a special situation.

It is partially working, though problems do exist.

For understanding what i want to do, here is a short overview:

The main page should be reachable by http://www.domain.tld, which is an A-record.
Also by http://domain.tld, which i like to be a CNAME.
CNAME because of a tool i am writing for automatic apache-configuration, depending on CNAMES i can find aliases for the virtualhost-section.

This main page offers subdomains to everyone who has interests in one, which then forwards to the page the user has.

Header("Location: http://provider.with.a.long.name.com/has/users/with/homepages") eg :)

This is done by  http://forward.domain.tld as a-record and virtual-host with apache.
To get the forwarding subdomain working, and not to give access to the pdns-table, a script in forward.domain.tld gets the query and the complete host, and redirects to what is in the database.
For this reason, there is a *.domain.tld in the record-table as CNAME to forward.domain.tld.

A-Dig'ing on the records, everything seems to be okay, apache gets up and running, and the service is working as i like. This side is okay.

Before the problems begin, some words on the configuration:

Master=on, slave=on, axfr for the slave, gmysql as backend, everything works with "normal" domains (no cnames, no wildcards ...)

But here the nice part ends:

An equal configuration on another server, configured as slave, will update his slave-zones.
For that, it's doing a SOA-request to the master. My master now has a more or less big problem:

	eg:	dig domain.tld SOA @master

The onscreen results:

PowerDNS answers with:
	Ignoring wildcard CNAME 'forward.domain.tld' pointing at itself

;; QUESTION SECTION:
;domain.tld.                  IN      SOA

;; ANSWER SECTION:
domain.tld.           604800  IN      CNAME   www.domain.tld.
www.domain.tld.       604800  IN      CNAME   forward.domain.tld.
forward.domain.tld.   604800  IN      CNAME   forward.domain.tld.

<irc>
<OUTsider> <docc> referer.ebersheim.de. 604800 IN CNAME referer.ebersheim.de. <- freud would love to see this
</irc>

This is the point. The wildcard *.domain.tld has ist chance to overrule the A-record for forward.domain.tld.

The corresponding queries from mysql.log

(1)	select content,ttl,prio,type,domain_id,name from records where name='domain.tld'
(2)	select content,ttl,prio,type,domain_id,name from records where name='www.domain.tld'
(3)	select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='www.domain.tld'
(4)	select content,ttl,prio,type,domain_id,name from records where name='*.domain.tld'
(5)	select content,ttl,prio,type,domain_id,name from records where name='forward.domain.tld'
(6)	select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='forward.domain.tld'

1: Ask for any entry with domain.tld
2: because domain.tld CNAMEs to www.domain.tld, ask for this entry. This will be responded with an A-record and nothing else, so
3: look for a SOA-entry of this. Nothing found, so
4: look for a wildcard-entry. The docs say, pdns will go from left to right checking for soa's, but the CNAME seems to break the rule. Perhabs (i didn't read the source) it knows it had allready tested for domain.tld, www.domain.tld, and now looks for a wildcard. *.domain.tld is a cname to forward.d.tld, so it will
5: look for any entry with this domain.
6: same as (2), it only has an A-Record, and the soa-query will return empty.

So a quick change with the records:

Domain.tld will be an A-Record,
www.domain.tld a CNAME of domain.tld.

Result:

;; QUESTION SECTION:
;domain.tld.                  IN      SOA

;; ANSWER SECTION:
domain.tld.           604800  IN      SOA     name.master.tld. hostmaster.domain.tld. 1 10800 3600 604800 3600

Dont mind the soa-content :)
Mysql.snip
select content,ttl,prio,type,domain_id,name from records where name='ebersheim.de'
select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='ebersheim.de'

Clean i would say.

Dig'ing on www.domain.tld is also okay

;; QUESTION SECTION:
;www.domain.tld.              IN      SOA

;; ANSWER SECTION:
www.domain.tld.       604800  IN      CNAME   domain.tld.
domain.tld.           604800  IN      SOA     name.master.tld. hostmaster.domain.tld. 1 10800 3600 604800 3600

select content,ttl,prio,type,domain_id,name from records where name='www.domain.tld'
select content,ttl,prio,type,domain_id,name from records where name='domain.tld'
select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='domain.tld'

Here the way is like it's described in section B.4 of the docs.

But i don't want it that way :)

So here how I got it working with some problems:

I turned the cnames of by setting skip-cname=yes

This results in just one query for the database:

select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='domain.tld'

A-dig'ing a bla.domain.tld (which is ruled by the wildcard) is also working.

But doing a SOA-Request on www.domain.tld results in the first example, the wildcard-record will rule over the a-record.

For me, it's okay so far, because the server is responsible for whole domains, and when it will be for a subdomain, this will result in a SOA-record for it (as it is needed), and SOA's on subdomains aren't that often.

I hope this could help someone in the powerdns-universum
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32)

iD8DBQE/HXNGjnhx1n6mY4kRAvPOAJ0XpFBScVpMh83lfZXC9Bw+tKxhbQCgojGs
bzDUf/FE3e+nwYzcJldivoI=
=fgaS
-----END PGP SIGNATURE-----

More information about the Pdns-users mailing list