<div dir="ltr">Hi Doug<div><br></div><div>Thanks for shedding some light on this</div><div><br></div><div>>If the only things querying these names are clients' stub resolvers, and those clients are configured to use only these recursors directly or indirectly for these names, then your configuration is not wrong, and you won't have any issues</div><div><br></div><div>I only have</div><div><br></div><div>a) direct: clients/servers querying these internal names having these recursor ip's configured in their dns resolver config</div><div>b) indirect: clients/servers which are querying these names through their own internal DNS (Microsoft AD DNS) which have these recursors configured as DNS Forwarders</div><div><br></div><div>Is my understanding of what i call "indirect" the same understanding as you have with regards to your use of the word "indirectly"?</div><div><br></div><div>Regards</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Am Sa., 2. Nov. 2024 um 08:17 Uhr schrieb Doug Freed via Pdns-users <<a href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Sat, Nov 2, 2024 at 2:04 AM rob777 via Pdns-users<br>
<<a href="mailto:pdns-users@mailman.powerdns.com" target="_blank">pdns-users@mailman.powerdns.com</a>> wrote:<br>
><br>
> Hi<br>
><br>
> >AUTHORITY has nothing to do with wether the answer is authoritative. You need to look at the flags<br>
><br>
> Yes I've realized that after more research that the aa flag is the real thing to look for.<br>
><br>
> The pdns-recursor runs on port 53 on the server and forward the queries for the internal zone through the forward-zone file to the port 53 from the pdns authoritiative on the same server - like<br>
><br>
> ...<br>
> <a href="http://example1.mydomain.com" rel="noreferrer" target="_blank">example1.mydomain.com</a>=<a href="http://10.0.11.100:5300" rel="noreferrer" target="_blank">10.0.11.100:5300</a><br>
> ...<br>
><br>
> I found other posts in pdns mailings about the same with no answers: <a href="https://mailman.powerdns.com/pipermail/pdns-dev/2020-April/001775.html" rel="noreferrer" target="_blank">https://mailman.powerdns.com/pipermail/pdns-dev/2020-April/001775.html</a><br>
> And then another one in a little bit of a different context but with someone replying at the end of the thread that this is an expected behavior<br>
><br>
> -> <a href="https://pdns-users.mailman.powerdns.narkive.com/FjxQ55ou/recursor-pdns-authoritative-and-axfr-problem" rel="noreferrer" target="_blank">https://pdns-users.mailman.powerdns.narkive.com/FjxQ55ou/recursor-pdns-authoritative-and-axfr-problem</a><br>
><br>
> So from research i found two basic sides:<br>
><br>
> a) some say this is the expected behavior and is correct<br>
> b) others are worried about it too and are not sure whether if this is generates problems for some stuff or not<br>
><br>
> So it leaves me guessing whether i have to care about it for my internal dns infrastructure (i'm pretty sure that it would not be a problem but not 100% sure)<br>
<br>
The behavior you're seeing is expected given your configuration.<br>
Whether it's correct depends on how your recursor and authoritative<br>
servers are being used. If the only things querying these names are<br>
clients' stub resolvers, and those clients are configured to use only<br>
these recursors directly or indirectly for these names, then your<br>
configuration is not wrong, and you won't have any issues. However,<br>
if other recursors need to query these names, then the authoritative<br>
servers need to be reachable through some mechanism besides through<br>
your recursors, like with dnsdist or otherwise directly, or you are<br>
likely to experience issues. This is especially true for<br>
pdns-recursor, as it does not accept answers from servers that should<br>
be authoritative for the query that do not have the AA bit set.<br>
<br>
><br>
><br>
><br>
> > BTW, obfuscation isn't ever helpful for having people help on a mailing list [1]<br>
><br>
> I agree - espeically if the obfuscation is not done in a proper way.<br>
><br>
><br>
> Am Fr., 1. Nov. 2024 um 15:10 Uhr schrieb Jan-Piet Mens via Pdns-users <<a href="mailto:pdns-users@mailman.powerdns.com" target="_blank">pdns-users@mailman.powerdns.com</a>>:<br>
>><br>
>> >$ dig <a href="http://test.example1.mydomain.com" rel="noreferrer" target="_blank">test.example1.mydomain.com</a> @<ip-of-my secondary><br>
>> >; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu<br>
>> >...<br>
>> >;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<br>
>><br>
>> >As you can see above "AUTHORITY: 0" is a none authoritative answer<br>
>><br>
>> AUTHORITY has nothing to do with wether the answer is authoritative. You need<br>
>> to look at the flags: this query has RD (recursion desired) and RA (recursion<br>
>> available), meaning you are querying a recursive server and hence no AA (authoritative<br>
>> answer) in the flags.<br>
>><br>
>> BTW, obfuscation isn't ever helpful for having people help on a mailing list [1]<br>
>><br>
>><br>
>> -JP<br>
>><br>
>> [1] <a href="https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open" rel="noreferrer" target="_blank">https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open</a><br>
>> _______________________________________________<br>
>> Pdns-users mailing list<br>
>> <a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.com</a><br>
>> <a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
><br>
> _______________________________________________<br>
> Pdns-users mailing list<br>
> <a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.com</a><br>
> <a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
<br>
-Doug<br>
_______________________________________________<br>
Pdns-users mailing list<br>
<a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.com</a><br>
<a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
</blockquote></div>