[Pdns-users] allow-recursion-override for 'fake' domain causes problem delegating fake subdomain

Brendan Oakley gentux2 at gmail.com
Wed Oct 8 23:49:06 UTC 2008 

Hi John,

On 9/23/08, John Morris wrote:
>
>  Our company's DNS is split with an internal 'fake' view set up with
> allow-recursion-override, as detailed in
> http://doc.powerdns.com/recursion.html .

Let's see if I understand this correctly. Your internal DNS servers
are hosting a zone for which they are not really the authoritative
servers. You have a recursor on some IP, possibly localhost, set in
your pdns.conf.

>  Before now, out of ignorance, I'd left the allow-recursion-override out of
> the configuration.  Questions with no answers in pdns's local databases
> would be forwarded to the 'real' DNS servers which don't do recursion and
> would respond with SERVFAIL.  A WAN outage revealed the problem when the
> link to the external servers was broken and our LAN slowed to a crawl while
> waiting for DNS timeouts.

In other words, for those records not listed on your internal servers,
it was passing to the recursor instead of returning NXDOMAIN. When
recursion became impossible, queries for non-existent records were
then subject to timeouts, making everything wait. OK.

>  Setting the allow-recursion-override flag fixed the problem, of course, but

Good.

> introduced another problem.  Our test network is a subdomain, and we
> delegate the subdomain to nameservers on the test network.  The recursor
> uses the 'forward-zones' option to know where to send the queries.  With the
> allow-recursion-override flag, though, queries to the subdomain fail on the
> internal nameservers, and aren't recursed to the subdomain's nameservers.

So your PDNS server is hosting somedomain.com, and you were using the
recursor to direct queries to testnetwork.somedomain.com to another
nameserver on the test network?

>  What is the best way to fix this problem?  I don't see any flag like
> 'allow-recursion-override-exceptions', and I suspect that
> the fault lies in my design for our DNS system.  Is there a simple
> configuration change that will fix this problem?  Or should I rethink our
> design?

What you need is one or more NS records for the subdomain in the
somedomain zone, and corresponding glue records:

testnetwork                                     IN     NS
ns1.testnetwork.somedomain.com.
ns1.testnetwork.somedomain.com.   IN     A      10.3.2.1

Brendan

More information about the Pdns-users mailing list