<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Michael,</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">You are correct - my typo - it is labisilon (not simply isilon).</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">When I do “dig @pdns01 NS labisilon.lab.example.com" I get the following:</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="color: rgb(0, 0, 0); margin: 0px;"><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">$ dig @psl-pdns01 ns pslisilon.lab.securustech.net</font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New"><br></font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">; <<>> DiG 9.8.3-P1 <<>> @psl-pdns01 ns pslisilon.lab.securustech.net</font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">; (1 server found)</font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">;; global options: +cmd</font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">;; Got answer:</font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53684</font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1</font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New"><br></font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">;; QUESTION SECTION:</font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">;labisilon.lab.example.com.<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>NS</font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New"><br></font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">;; AUTHORITY SECTION:</font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">labisilon.lab.example.com. 900 IN<span class="Apple-tab-span" style="white-space:pre"> </span>NS<span class="Apple-tab-span" style="white-space:pre"> </span>lab-isilon.lab.example.com.</font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New"><br></font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">;; ADDITIONAL SECTION:</font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">lab-isilon.lab.example.com.<span class="Apple-tab-span" style="white-space:pre"> </span>900 IN<span class="Apple-tab-span" style="white-space:pre"> </span>A<span class="Apple-tab-span" style="white-space:pre"> </span>x.x.x.x</font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New"><br></font></div><div id="bloop_customfont" style="margin: 0px;"><font face="Courier New">;; Query time: 59 msec</font></div></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">I don’t believe the records are overlapping according to this output but please correct me if I’m wrong on this. </div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div> <div id="bloop_sign_1386919385499197952"><span style="font-family:helvetica,arial;font-size:13px"></span>-- <br>Drew Decker<br><span>Sent with <a href="http://airmailapp.com/tracking">Airmail</a></span></div> <br><p style="color:#A0A0A8;">On December 13, 2013 at 12:35:02 AM, Michael Loftis (<a href="mailto://mloftis@wgops.com">mloftis@wgops.com</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div><div>
<title></title>
<p dir="ltr">Is the delegated zone isilon or labisilon? I think you
need to check the A, and NS records as you've mixed them up even in
the email there. I would delegate a completely different sub domain
than I would name the A record just to avoid such confusion, it
sounds like you've got an NS and A records for the same name, which
is why you're getting the static A record from powerdns. </p>
<p dir="ltr">In your typed example you are using labisilon as the
sub domain and lab-isilon as the A record and NS
delegation... What does dig NS <a href="http://labisilon.lab.example.com">labisilon.lab.example.com</a>
@<a href="http://1.2.3.4">1.2.3.4</a> give you? (Replace 1.2.3.4
with the pdns auth server ip address) you should get back two
records, one NS type pointing to lab-isilon and one A type giving
the address to send UDP/TCP queries to.</p>
<p dir="ltr">Sounds like that's where the problem is still. Your
delegation shouldn't have any overlapping A records.... labisilon
should be just an NS which points to lab-isilon, otherwise you get
the behavior you described. Which is a broken delegation.</p>
<div class="gmail_quote">On Dec 12, 2013 9:54 PM, "Drew Decker"
<<a href="mailto:drewrockshard@gmail.com">drewrockshard@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
Michael,</div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<br></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
I think you only read a few posts on this thread, so I’ll
give you some details of what had/has been done up to this point,
as I read your entire email and from what you are saying, I’ve
already done (which is why I’m reaching out to the community) -
correct me if I’m wrong.</div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<br></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
I have a single zone: <b><a href="http://lab.example.com" target="_blank">lab.example.com</a></b></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<br></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
The isilon needs a delegated zone for it to use, so we simply chose
<b><a href="http://isilon.lab.example.com" target="_blank">isilon.lab.example.com</a></b></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<br></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
From a PowerDNS perspective, <b><a href="http://lab.example.com" target="_blank">lab.example.com</a></b> lives on a single server
<b>pdns01</b> and the database server runs on its own dedicated
hardware <b>pdnsdb01</b>.</div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<br></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
A single zone was created - <b><a href="http://lab.example.com" target="_blank">lab.example.com</a></b></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<br></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
We added the following DNS records to PowerDNS (in the <b><a href="http://lab.example.com" target="_blank">lab.example.com</a></b>
zone):</div>
<div style="margin:0px">
<pre style="font-size:13px;white-space:pre-wrap;font-family:Helvetica,Arial"><a href="http://labisilon.lab.example.com" target="_blank">labisilon.lab.example.com</a>. 900 IN NS <a href="http://lab-isilon.lab.example.com" target="_blank">lab-isilon.lab.example.com</a>.
<a href="http://lab-isilon.lab.example.com" target="_blank">lab-isilon.lab.example.com</a>. 900 IN A x.x.x.x
</pre>
<pre><font face="Helvetica, Arial"><span style="white-space:normal">Once we added this, it still does not work; when we ping <a href="http://labisilon.lab.example.com" target="_blank">labisilon.lab.example.com</a>, it returns the IP from <a href="http://lab-isilon.lab.example.com" target="_blank">lab-isilon.lab.example.com</a>, which would be as expected, but since the “x.x.x.x” IP is a SmartConnect IP on the Isilon, it actually takes that IP gives a random IP (depends on how the Isilon is configured) back to the client. So, in our case, we basically round-robin it, so each new request to the isilon should give us a new IP, until we get to the end, and then we start over. </span></font>
</pre>
<pre><font face="Helvetica, Arial"><span style="white-space:normal">I just need to know if I’m missing something here, and if not, maybe it is an issue with the Isilon, in this case. I just want to make sure that I’m setting up DNS delegation correctly in PowerDNS, or if I’m missing something PowerDNS specific.</span></font>
</pre></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
Thanks for your continued input.</div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<br></div>
<div>-- <br>
Drew Decker<br>
<br></div>
<br>
<p style="color:#a0a0a8">On December 12, 2013 at 9:32:33 PM,
Michael Loftis (<a href="mailto://mloftis@wgops.com" target="_blank">mloftis@wgops.com</a>) wrote:</p>
<blockquote type="cite">
<div>
<div><span>The most common and obvious example of glue is when you
have a TLD<br>
such as GOV, COM, or EDU delegate your domain, your NS records
usually<br>
exist within your domain so glue must exist higher up, exact
same<br>
principal applies at every level where a delegation occurs.
Say<br>
<a href="http://isil.lab.example.com" target="_blank">isil.lab.example.com</a> is served by the isilon. This is
the delegated<br>
subdomain. <a href="http://lab.example.com" target="_blank">lab.example.com</a> is served by other nameservers. The
A<br>
record you're using could be <a href="http://ns1.isil.lab.example.com" target="_blank">ns1.isil.lab.example.com</a>, and so must<br>
exist in both the <a href="http://isil.lab.example.com" target="_blank">isil.lab.example.com</a> domain, AND the <a href="http://lab.example.com" target="_blank">lab.example.com</a><br>
domain, in two seperate nameservers.<br>
<br>
You must have on BOTH the <a href="http://lab.example.com" target="_blank">lab.example.com</a> and the <a href="http://isil.lab.example.com" target="_blank">isil.lab.example.com</a><br>
domains and nameservers.... A records for out of zone nameservers
in<br>
subdomains are called glue. Nothing magical. Everyone has some
in<br>
COM, GOV, EDU, ORG, etc. If you take a look at <a href="http://google.com" target="_blank">google.com</a>, you'll
see<br>
ns1 through <a href="http://ns4.google.com" target="_blank">ns4.google.com</a> -- those four A records exist in the
COM<br>
zone as glue. Likewise, all four of those A records served by the
COM<br>
nameservers are identical to the ones served by <a href="http://google.com" target="_blank">google.com</a><br>
nameservers. Same thing has to happen on subdomains if the A
record<br>
points to something that exists inside the delegated domain.<br>
<br>
<a href="http://ns1.isil.lab.example.com" target="_blank">ns1.isil.lab.example.com</a> IN A 127.1.1.2<br>
<a href="http://isil.lab.example.com" target="_blank">isil.lab.example.com</a> IN NS <a href="http://ns1.isil.lab.example.com" target="_blank">ns1.isil.lab.example.com</a><br>
<br>
And that leads into yet another pitfall, if those records are<br>
mismatched, BIND and most other resolvers will decide someone
is<br>
trying to poison their cache and refuse to serve results for
that<br>
domain (or subdomain, there is not any distinction to BIND
and<br>
PowerDNS)<br>
<br>
<br>
<br>
<br>
On Thu, Dec 12, 2013 at 4:48 PM, Drew Decker <<a href="mailto:drewrockshard@gmail.com" target="_blank">drewrockshard@gmail.com</a>> wrote:<br>
> Michael,<br>
><br>
> When you state "If the A records that the NS points to are in
the subdomain,<br>
> glue records must be created in the parent domain/zone." - can
you elaborate<br>
> on how to do this? Everything else that you mentioned is DNS
101 and has<br>
> already been done. Explain to me how and what I need to do
about the DNS<br>
> glue records in PowerDNS and I'll give it a try.<br>
><br>
> Thanks!<br>
><br>
><br>
> On Thu, Dec 12, 2013 at 6:36 PM, Michael Loftis <<a href="mailto:mloftis@wgops.com" target="_blank">mloftis@wgops.com</a>> wrote:<br>
>><br>
>> I must be missing something because this is DNS 101. Just
create NS<br>
>> records in the domain on the PDNS server that points at
the isilon.<br>
>> If the A records that the NS points to are in the
subdomain, glue<br>
>> records must be created in the parent domain/zone. There's
no magic,<br>
>> insert the two records into your PowerDNS authoratitive
servers<br>
>> records table, make sure that the clients can contact the
isilon's UDP<br>
>> and TCP port 53 (where the A record points to)<br>
>><br>
>> If you're still having issues I suggest using dig +trace
to see whats<br>
>> going on, and dig in general to see if the isilon is even
responding -<br>
>> it really sounds like you've got a firewall issue that's
keeping<br>
>> anything from being able to contact the delegated-to
nameserver.<br>
>><br>
>> On Thu, Dec 12, 2013 at 4:17 PM, Drew Decker <<a href="mailto:drewrockshard@gmail.com" target="_blank">drewrockshard@gmail.com</a>><br>
>> wrote:<br>
>> > Does anyone else know of a way to do this, or could
give me some<br>
>> > recommendations on how we could do this in or current
configuration? We<br>
>> > just need to be able to create a delegation in
PowerDNS to use a<br>
>> > different<br>
>> > Nameserver on the actual isilon. We are basically
delegating to the<br>
>> > Isilon<br>
>> > for a specific "subdomain".<br>
>> ><br>
>> > Thanks!<br>
>> ><br>
>> ><br>
>> > On Wed, Dec 4, 2013 at 2:06 PM, <a href="mailto:ktm@rice.edu" target="_blank">ktm@rice.edu</a> <<a href="mailto:ktm@rice.edu" target="_blank">ktm@rice.edu</a>>
wrote:<br>
>> >><br>
>> >> On Wed, Dec 04, 2013 at 02:03:57PM -0600, Drew
Decker wrote:<br>
>> >> > Ken,<br>
>> >> ><br>
>> >> > Yea - I don't think this will work for us.
Our domain is shared with<br>
>> >> > the<br>
>> >> > Isilon, so it would be <a href="http://lab.domain.com" target="_blank">lab.domain.com</a>, and I
don't want to forward<br>
>> >> > the<br>
>> >> > entire zone over to the Isilon.<br>
>> >> ><br>
>> >> > thanks!<br>
>> >> ><br>
>> >><br>
>> >> Yes, we put our Isilon in its own (sub)domain for
exactly that reason.<br>
>> >> It<br>
>> >> made this easy. You could roll-your-own with lua
in the recursor if a<br>
>> >> separate<br>
>> >> domain is not possible.<br>
>> >><br>
>> >> Regards,<br>
>> >> Ken<br>
>> ><br>
>> ><br>
>> ><br>
>> ><br>
>> > --<br>
>> > Best Regards,<br>
>> > Drew Decker<br>
>> ><br>
>> > _______________________________________________<br>
>> > Pdns-users mailing list<br>
>> > <a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.com</a><br>
>> > <a href="http://mailman.powerdns.com/mailman/listinfo/pdns-users" target="_blank">http://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
>> ><br>
>><br>
>><br>
>><br>
>> --<br>
>><br>
>> "Genius might be described as a supreme capacity for
getting its<br>
>> possessors<br>
>> into trouble of all kinds."<br>
>> -- Samuel Butler<br>
><br>
><br>
><br>
><br>
> --<br>
> Best Regards,<br>
> Drew Decker<br>
<br>
<br>
<br>
--<br>
<br>
"Genius might be described as a supreme capacity for getting its
possessors<br>
into trouble of all kinds."<br>
-- Samuel Butler<br></span></div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div></div></span></blockquote></body></html>