[Pdns-users] allow-recursion-override for 'fake' domain causes problem delegating fake subdomain
John Morris
jman at ablesky.com
Wed Sep 24 04:12:59 UTC 2008
Hi,
Our company's DNS is split with an internal 'fake' view set up with
allow-recursion-override, as detailed in
http://doc.powerdns.com/recursion.html .
Before now, out of ignorance, I'd left the allow-recursion-override out
of the configuration. Questions with no answers in pdns's local
databases would be forwarded to the 'real' DNS servers which don't do
recursion and would respond with SERVFAIL. A WAN outage revealed the
problem when the link to the external servers was broken and our LAN
slowed to a crawl while waiting for DNS timeouts.
Setting the allow-recursion-override flag fixed the problem, of course,
but introduced another problem. Our test network is a subdomain, and we
delegate the subdomain to nameservers on the test network. The recursor
uses the 'forward-zones' option to know where to send the queries. With
the allow-recursion-override flag, though, queries to the subdomain fail
on the internal nameservers, and aren't recursed to the subdomain's
nameservers.
What is the best way to fix this problem? I don't see any flag like
'allow-recursion-override-exceptions', and I suspect that the fault lies
in my design for our DNS system. Is there a simple configuration change
that will fix this problem? Or should I rethink our design?
Thanks-
John
More information about the Pdns-users
mailing list