<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I ended up having to go back to 2.9.22 to make this work. </span><span style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>L</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In our case, we have Windows (Active Directory/DNS) housing some of the (internal) domain, and PowerDNS storing other records.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>To make Windows happy, it is authoritative over a subdomain (e.g. sub.example.com), while PowerDNS handles the parent example.com.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The issue we especially run into is reverse (PTR) records. In our environment, hosts from both domains are in the same IP range (e.g. 10.10.128.x).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Sooo, when you go for a reverse lookup on 10.10.128.45 (for example), we get into trouble with DNS servers being authoritative over that reverse zone (e.g. 128.10.10.in-addr.arpa), because that record might live in Windows or PowerDNS. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In addition, we also have some (public IP) records hosted outside our firewall (but still using the internal example.com domain name space). If I use the old PowerDNS, it doesn’t matter that those records are hosted elsewhere but within the internal name space – PowerDNS doesn’t know the answer and simply recourses it out for resolution.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>That’s why I really like the old PowerDNS ability to consult other DNS servers for answers, even within a domain that PowerDNS is considered “authoritative” for – its an awesome feature we rely on very heavily here!!!! =)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I don’t have a clue how easy or hard that would be to code, but I would love it if that was still available in the new (3.x) PowerDNS!!!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Perhaps even if it was just an option you could toggle on and off (off by default to save on the confusion you mentioned).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Just my 2 cents.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Brent<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> pdns-users-bounces@mailman.powerdns.com [mailto:pdns-users-bounces@mailman.powerdns.com] <b>On Behalf Of </b>Rory Toma<br><b>Sent:</b> Tuesday, January 10, 2012 6:44 PM<br><b>To:</b> pdns-users@mailman.powerdns.com<br><b>Subject:</b> [Pdns-users] Fwd: Re: Recursion when Powerdns auth servers is SOA<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I noticed I failed to reply to the list...<br><br><br>-------- Original Message -------- <o:p></o:p></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0><tr><td nowrap valign=top style='padding:0in 0in 0in 0in'><p class=MsoNormal align=right style='text-align:right'><b>Subject: <o:p></o:p></b></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Re: [Pdns-users] Recursion when Powerdns auth servers is SOA<o:p></o:p></p></td></tr><tr><td nowrap valign=top style='padding:0in 0in 0in 0in'><p class=MsoNormal align=right style='text-align:right'><b>Date: <o:p></o:p></b></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Tue, 10 Jan 2012 14:56:13 -0800<o:p></o:p></p></td></tr><tr><td nowrap valign=top style='padding:0in 0in 0in 0in'><p class=MsoNormal align=right style='text-align:right'><b>From: <o:p></o:p></b></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Rory Toma <a href="mailto:rory@ooma.com"><rory@ooma.com></a><o:p></o:p></p></td></tr><tr><td nowrap valign=top style='padding:0in 0in 0in 0in'><p class=MsoNormal align=right style='text-align:right'><b>To: <o:p></o:p></b></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>bert hubert <a href="mailto:bert.hubert@netherlabs.nl"><bert.hubert@netherlabs.nl></a><o:p></o:p></p></td></tr></table><p class=MsoNormal><br><br>On 1/10/12 2:48 PM, bert hubert wrote: <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Jan 10, 2012, at 11:37 PM, Rory Toma wrote:<o:p></o:p></p></div><p class=MsoNormal><br><br><o:p></o:p></p><div><p class=MsoNormal><span class=apple-style-span><span style='font-size:13.5pt;font-family:"Arial","sans-serif"'>"To make sure that the local authoritative database overrides recursive information, PowerDNS first tries to answer a question from its own database. If that succeeds, the answer packet is sent back immediately without involving the recursor in any way. This means that for questions for which there is no answer, PowerDNS will consult the recursor for an recursive query, even if PowerDNS is authoritative for a domain! This will only cause problems if you 'fake' domains which don't really exist.</span></span>"<br><br>What I want to do is have powerdns consult the recursor even of powerdns is authoritative for a domain. This is what I can' seem to get to work.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I think we no longer do this, and that the documentation is in that case out of date. It complicated things too badly.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>If you want to override the internet, you may have more success the other way around, put a PowerDNS Recursor with specific authoritative data as an auth server.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span class=apple-tab-span> </span>Bert<o:p></o:p></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>I'll explain my problem in a little more detail, and then perhaps suggestions can flow:<br><br>We are using dns as a registration system. Devices contact a server and register, a dns record is created. For the sake of this discussion, I'll refer to this as old registration system (bind and old registration servers) and new registration system (powerdns and new server)<br><br>Many "apps" need to look up the information in dns, we have a keepalived fault tolerant IP address that points to a name server (currently bind), but we'd like to switch this to powerdns. However, we can't just switch all the dns records over at once, there has to be a transition period. So, we'd like to switch over to powerdns and new registration server. All new records will exist in powerdns. Eventually, all the old records will migrate as clients re-register.<br><br>So, when someone queries the new server, it needs to look up the data first in powerdns, and if it isn't there, recurse.<br><br>I tried putting the powerdns recursor in front. It did not work for me, as each backend server thinks it is authoritative. So if it happens to query that one first, it returns NXDOMAIN and never looks at the next one in the list.<o:p></o:p></p></div></body></html>