<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 06/12/2022 17:06, Curtis Maurand via
Pdns-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:a112fcac-e17f-50b7-4ca5-2fdedc073b7d@maurand.com"><font
face="Helvetica, Arial, sans-serif">On the authoritative server
I host a domain that I'll call domain.tld as the example.</font></blockquote>
<p>It really helps if you give the real domain, since many problems
can be diagnosed easily by querying the auth nameserver. See</p>
<p><a class="moz-txt-link-freetext" href="https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/">https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/</a></p>
<p>Is this a real domain, i.e. does your authoritative server have a
public IP address and NS records pointing at it? I am guessing
that it is, since you say it's dnssec signed. Is your auth server
behind any sort of NAT?<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:a112fcac-e17f-50b7-4ca5-2fdedc073b7d@maurand.com"><font
face="Helvetica, Arial, sans-serif">All seems to be well, until
I query the local recursor which returns nothing. It answers,
but doesn't return a response.</font></blockquote>
<p>Define "nothing": NOERROR with no records, NXDOMAIN, SERVFAIL,
something else?</p>
<p>Can your recursor reach the authoritative server on its public IP
address?</p>
<p>That is, from the shell of the recursor, can you query the auth
server like this:<br>
</p>
<p>dig +norec @x.x.x.x domain.tld. a<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:a112fcac-e17f-50b7-4ca5-2fdedc073b7d@maurand.com"><font
face="Helvetica, Arial, sans-serif"> I've tried forward-zones =
domain.tld=192.168.100.30; and that doesn't seem to work.</font></blockquote>
<p>You can run tcpdump to see whether the recursor is sending
queries to 192.168.100.30, and if so, what response it gets.</p>
<p>tcpdump -i eth0 -nn -s0 -v port 53 and host 192.168.100.30</p>
<p><br>
</p>
</body>
</html>