<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hmm... got powerdns to start up now, but it does not send out
queries to the recursor in this version, either for me. I have
twiddled the allow-recursion-override and lazy recursion, but no
luck.<br>
<br>
On 1/11/12 7:03 AM, Parish, Brent wrote:
<blockquote
cite="mid:6265B2EB12D194469B958F2E703D81830D6AC77FA4@viper.pc.cognex.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
ended up having to go back to 2.9.22 to make this work. </span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">L</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">In
our case, we have Windows (Active Directory/DNS) housing
some of the (internal) domain, and PowerDNS storing other
records.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">To
make Windows happy, it is authoritative over a subdomain
(e.g. sub.example.com), while PowerDNS handles the parent
example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
issue we especially run into is reverse (PTR) records. In
our environment, hosts from both domains are in the same IP
range (e.g. 10.10.128.x).<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Sooo,
when you go for a reverse lookup on 10.10.128.45 (for
example), we get into trouble with DNS servers being
authoritative over that reverse zone (e.g.
128.10.10.in-addr.arpa), because that record might live in
Windows or PowerDNS. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">In
addition, we also have some (public IP) records hosted
outside our firewall (but still using the internal
example.com domain name space). If I use the old PowerDNS,
it doesn’t matter that those records are hosted elsewhere
but within the internal name space – PowerDNS doesn’t know
the answer and simply recourses it out for resolution.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That’s
why I really like the old PowerDNS ability to consult other
DNS servers for answers, even within a domain that PowerDNS
is considered “authoritative” for – its an awesome feature
we rely on very heavily here!!!! =)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
don’t have a clue how easy or hard that would be to code,
but I would love it if that was still available in the new
(3.x) PowerDNS!!!<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Perhaps
even if it was just an option you could toggle on and off
(off by default to save on the confusion you mentioned).<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Just
my 2 cents.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Brent<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:pdns-users-bounces@mailman.powerdns.com">pdns-users-bounces@mailman.powerdns.com</a>
[<a class="moz-txt-link-freetext" href="mailto:pdns-users-bounces@mailman.powerdns.com">mailto:pdns-users-bounces@mailman.powerdns.com</a>] <b>On
Behalf Of </b>Rory Toma<br>
<b>Sent:</b> Tuesday, January 10, 2012 6:44 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a><br>
<b>Subject:</b> [Pdns-users] Fwd: Re: Recursion when
Powerdns auth servers is SOA<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I noticed I failed to reply to the list...<br>
<br>
<br>
-------- Original Message -------- <o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in" nowrap="nowrap"
valign="top">
<p class="MsoNormal" style="text-align:right"
align="right"><b>Subject: <o:p></o:p></b></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Re: [Pdns-users] Recursion when
Powerdns auth servers is SOA<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in" nowrap="nowrap"
valign="top">
<p class="MsoNormal" style="text-align:right"
align="right"><b>Date: <o:p></o:p></b></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Tue, 10 Jan 2012 14:56:13 -0800<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in" nowrap="nowrap"
valign="top">
<p class="MsoNormal" style="text-align:right"
align="right"><b>From: <o:p></o:p></b></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Rory Toma <a
moz-do-not-send="true" href="mailto:rory@ooma.com"><rory@ooma.com></a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in" nowrap="nowrap"
valign="top">
<p class="MsoNormal" style="text-align:right"
align="right"><b>To: <o:p></o:p></b></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">bert hubert <a
moz-do-not-send="true"
href="mailto:bert.hubert@netherlabs.nl"><bert.hubert@netherlabs.nl></a><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><br>
<br>
On 1/10/12 2:48 PM, bert hubert wrote: <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Jan 10, 2012, at 11:37 PM, Rory Toma
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal"><span class="apple-style-span"><span
style="font-size:13.5pt;font-family:"Arial","sans-serif"">"To
make sure that the local authoritative database
overrides recursive information, PowerDNS first tries
to answer a question from its own database. If that
succeeds, the answer packet is sent back immediately
without involving the recursor in any way. This means
that for questions for which there is no answer,
PowerDNS will consult the recursor for an recursive
query, even if PowerDNS is authoritative for a domain!
This will only cause problems if you 'fake' domains
which don't really exist.</span></span>"<br>
<br>
What I want to do is have powerdns consult the recursor
even of powerdns is authoritative for a domain. This is
what I can' seem to get to work.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I think we no longer do this, and that
the documentation is in that case out of date. It
complicated things too badly.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If you want to override the internet,
you may have more success the other way around, put a
PowerDNS Recursor with specific authoritative data as an
auth server.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span>Bert<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
I'll explain my problem in a little more detail, and then
perhaps suggestions can flow:<br>
<br>
We are using dns as a registration system. Devices contact a
server and register, a dns record is created. For the sake of
this discussion, I'll refer to this as old registration system
(bind and old registration servers) and new registration
system (powerdns and new server)<br>
<br>
Many "apps" need to look up the information in dns, we have a
keepalived fault tolerant IP address that points to a name
server (currently bind), but we'd like to switch this to
powerdns. However, we can't just switch all the dns records
over at once, there has to be a transition period. So, we'd
like to switch over to powerdns and new registration server.
All new records will exist in powerdns. Eventually, all the
old records will migrate as clients re-register.<br>
<br>
So, when someone queries the new server, it needs to look up
the data first in powerdns, and if it isn't there, recurse.<br>
<br>
I tried putting the powerdns recursor in front. It did not
work for me, as each backend server thinks it is
authoritative. So if it happens to query that one first, it
returns NXDOMAIN and never looks at the next one in the list.<o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pdns-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a>
<a class="moz-txt-link-freetext" href="http://mailman.powerdns.com/mailman/listinfo/pdns-users">http://mailman.powerdns.com/mailman/listinfo/pdns-users</a>
</pre>
</blockquote>
<br>
</body>
</html>