[Pdns-users] External CNAME w/ auth and recursor
Sebastien Luttringer
sebastien.luttringer at smartjog.com
Mon Mar 10 14:35:53 UTC 2008
Sascha Holzleiter wrote:
> Sebastien Luttringer schrieb:
>> Sascha Holzleiter wrote:
>> And for your example dig answer that...
>>
>> # dig @127.0.0.1 test.tdf-pmm.wan
>> ; <<>> DiG 9.3.4 <<>> @127.0.0.1 test.tdf-pmm.wan
>> ; (1 server found)
>> ;; global options: printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33663
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;test.tdf-pmm.wan. IN A
>>
>> ;; AUTHORITY SECTION:
>> . 3320 IN SOA a.root-servers.net.
>> nstld.verisign-grs.com. 2008030401 1800 900 604800 86400
>>
>> ;; Query time: 33 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Wed Mar 5 17:08:09 2008
>> ;; MSG SIZE rcvd: 109
>>
>>
>
> This is strange. Powerdns usually never answers with an NXDOMAIN for
> domains which it thinks
> it is authorative for.
>
> Ok, to make it short, maybe there is a problem in your
> Recursor<->Powerdns interaction, so here
> is an setup which works:
This really strange because this problem is the same if recursor is
bind, so this cannot be a misconfiguration of pdns-recursor. No ?
>
> pdns-recursor bound to 127.0.0.1
> pdns bound to 212.227.60.43
For me pdns-recursor bound to 127.0.0.1:5353 and pdns to 127.0.0.1:53
>
> For recursion to work you must specify the recursor in pdns.conf:
>
> recursor=127.0.0.1
recursor=127.0.0.1:5353
>
> Then, if you hit the nameserver with the question for e.g. in this
> example
> test.root-login.org it will forward this request to the recursor as it
> can't
> resolve the record by itself. For this example i have
> test.root-login.org as a CNAME to ns.seblu.net.
> But there is still the problem, that my secondary NS isn't controlled
> by me and also refuses to recurse
> this entry, so i'll tell the recursor to forward the root-login.org
> zone to my pdns server like this:
>
> forward-zones=root-login.org=212.227.60.43
for me forward-zones=tdf-pmm.wan=127.0.0.1
ok, this is a "solution". Thanks !
But this cut many advantage of pdns and is mysql backend. Because for
each domain under authority of pdns a modification in recursor.conf is
needed... This cannot be a solution.
>
> With this in place everything works as expected:
>
> > dig @212.227.60.43 test.root-login.org
>
> ; <<>> DiG 9.4.2 <<>> @212.227.60.43 test.root-login.org
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20401
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;test.root-login.org. IN A
>
> ;; ANSWER SECTION:
> test.root-login.org. 86178 IN CNAME ns.seblu.net.
> ns.seblu.net. 172578 IN A 88.191.33.22
>
> ;; Query time: 3 msec
> ;; SERVER: 212.227.60.43#53(212.227.60.43)
> ;; WHEN: Wed Mar 5 23:25:33 2008
> ;; MSG SIZE rcvd: 79
>
> What happens behind the scenes is this:
>
> * We ask PDNS for an A entry for test.root-login.org
> * PDNS has no A record for this, only a CNAME, but that wasn't asked
> for, so the original
> query is forwarded to the recursor
> * The recursor gets the question for the A entry of
> test.root-login.org. I've told him to ask
> any questions regarding this zone my PDNS server, so he asks it and
> gets the CNAME
> and as the recursor is allowed to recurse further it does this and
> comes up with the A
> record.
Yes but this is a kind of "cheat code".
> * The recursor gives everything back to PDNS which gives it to us and
> makes us happy ;)
No because other recursif DNS, like those of ISP or university, don't
see this CNAME.
> Hope this helps to get your setup right. There seems to be something
> wrong there.
> With these things you just have to make sure you don't build a
> resolving circle
> within the recursor<->PDNS interaction :)
In fact no, but thanks for your help ! I think it's just a powerdns
problem :
if i run a bind on 10.0.2.15, i get this answer from dig
# dig @10.0.2.15 test.tdf-pmm.net
; <<>> DiG 9.3.4 <<>> @10.0.2.15 test.tdf-pmm.net
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43996
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;test.tdf-pmm.net. IN A
;; ANSWER SECTION:
test.tdf-pmm.net. 604800 IN CNAME ns.seblu.net.
;; AUTHORITY SECTION:
. 518400 IN NS A.ROOT-SERVERS.net.
. 518400 IN NS B.ROOT-SERVERS.net.
. 518400 IN NS C.ROOT-SERVERS.net.
. 518400 IN NS D.ROOT-SERVERS.net.
. 518400 IN NS E.ROOT-SERVERS.net.
. 518400 IN NS F.ROOT-SERVERS.net.
. 518400 IN NS G.ROOT-SERVERS.net.
. 518400 IN NS H.ROOT-SERVERS.net.
. 518400 IN NS I.ROOT-SERVERS.net.
. 518400 IN NS J.ROOT-SERVERS.net.
. 518400 IN NS K.ROOT-SERVERS.net.
. 518400 IN NS L.ROOT-SERVERS.net.
. 518400 IN NS M.ROOT-SERVERS.net.
;; Query time: 34 msec
;; SERVER: 10.0.2.15#53(10.0.2.15)
;; WHEN: Mon Mar 10 12:18:41 2008
;; MSG SIZE rcvd: 266
and on 127.0.0.1 a pdns server
# dig @127.0.0.1 test.tdf-pmm.wan
; <<>> DiG 9.3.4 <<>> @127.0.0.1 test.tdf-pmm.wan
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41025
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.tdf-pmm.wan. IN A
;; AUTHORITY SECTION:
. 10164 IN SOA A.ROOT-SERVERS.NET.
NSTLD.VERISIGN-GRS.COM. 2008030901
0 900 604800 86400
;; Query time: 88 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 10 12:18:30 2008
;; MSG SIZE rcvd: 109
Bind when it's not a recursor answer to an A record by a CNAME record if
exist (but don't recurse, of course)
Pdns when it's not a recursor answer to an A record by a nxdomain and
then the recursif dns assume this true...
pdns :/
--
Sebastien "Seblu" Luttringer sebastien.luttringer at smartjog.com
Smartjog SA http://www.smartjog.com/
More information about the Pdns-users
mailing list