[Pdns-users] Questions About Authority

Anthony Eden anthony at sdc-hawaii.co.mp
Thu Nov 11 19:34:45 UTC 2004 

First off let me say that I have read question three in section 18.2 of 
the manual, so I am not going to say that PowerDNS is not giving 
authoritative answers. ;-)

Here's my problem: I run the name servers for a ccTLD (.mp).  We would 
like to be able to have a wildcard record for all non-delegated domains. 
  Obviously this is a problem since many Bind name servers in the world 
have the delegation-only patch applied.  Enter PowerDNS.

I've tried setting up PowerDNS to first check the bind backend and then 
use the pipe backend to a Perl script if a result is not found in the 
bind data.  I am running PowerDNS installed from the RPM 
pdns-static-2.9.16-1.i386.rpm on RedHat 9.

The results of this test are currently running on ns1.nic.mp:50001.

If you query that name server with the command:

  dig -t any -p 50001 @ns1.nic.mp foo.mp

You will see the result returned from the Perl script.  If you query it 
with:

  dig -t any -p 50001 @ns1.nic.mp sunrise.mp

You will see the result returned from the bind data.

Yesterday I enabled this configuration on port 53 in the production 
environment.  I then went to a machine on the RoadRunner network (their 
DNS servers have the delegation-only patch applied so they are a good 
test) and lo and behold nothing resolved, not even the names which are 
in the bind zone files and which resolved fine using Bind.  Through 
LavaNet (the provider at my office) everything worked fine with the new 
name servers.

Like I said, I know that section 18.2 says that the Authority section 
printed by the results from dig has nothing to do with the actual 
authority, but I would also like to point out that the exact same bind 
records resolved through Bind do show the Authority section whereas it 
is not shown through PowerDNS.  You can see this yourself by comparing 
the results from:

  dig @ns1.nic.mp sunrise.mp

and

  dig -p 50001 @ns1.nic.mp sunrise.mp

I have no idea if this is important, but I do know that when I switched 
back to Bind the sunrise.mp name began resolving again.  The sunrise.mp 
name is actually delegated in the mp zone file to the sunrise.mp zone file.

In case it helps, here is the logic part of the Perl script which deals 
with responses:

if(($qtype eq 'ANY' || $qtype eq 'A') && $qname =~ /\.mp/){
     print STDERR "$$ Sending A records\n";
     print "DATA     $qname  $qclass A       3600    1 
66.135.225.102\n";
}

if(($qtype eq 'ANY' || $qtype eq 'NS') && $qname =~ /\.mp/){
     print STDERR "$$ Sending NS records\n";
     print "DATA     $qname  $qclass NS      3600    1       ns1.nic.mp\n";
     print "DATA     $qname  $qclass NS      3600    1       ns2.nic.mp\n";
}
if(($qtype eq 'ANY' || $qtype eq 'SOA') && $qname =~ /\.mp/){
     print STDERR "$$ Sending SOA records\n";
     print "DATA     $qname  $qclass SOA     3600    1       ns1.nic.mp 
admin.nic.mp 1 10800 3600 694800 3600\n";
}
if(($qtype eq 'ANY' || $qtype eq 'MX') && $qname =~ /\.mp/){
     print STDERR "$$ Sending MX records\n";
     print "DATA     $qname  $qclass MX      3600    1       10 
mail.mp\n";
}


Any help would be greatly appreciated.  I've been fighting with this 
problem for quite a while now and will be happy to get it fixed and out 
of the way.  Naturally if I have left something out then

Sincerely,
Anthony Eden

More information about the Pdns-users mailing list