[Pdns-users] allow-recursion-override for 'fake' domain causes problem delegating fake subdomain

John Morris jman at ablesky.com
Wed Sep 24 04:12:59 UTC 2008


Our company's DNS is split with an internal 'fake' view set up with 
allow-recursion-override, as detailed in 
http://doc.powerdns.com/recursion.html .

Before now, out of ignorance, I'd left the allow-recursion-override out 
of the configuration.  Questions with no answers in pdns's local 
databases would be forwarded to the 'real' DNS servers which don't do 
recursion and would respond with SERVFAIL.  A WAN outage revealed the 
problem when the link to the external servers was broken and our LAN 
slowed to a crawl while waiting for DNS timeouts.

Setting the allow-recursion-override flag fixed the problem, of course, 
but introduced another problem.  Our test network is a subdomain, and we 
delegate the subdomain to nameservers on the test network.  The recursor 
uses the 'forward-zones' option to know where to send the queries.  With 
the allow-recursion-override flag, though, queries to the subdomain fail 
on the internal nameservers, and aren't recursed to the subdomain's 

What is the best way to fix this problem?  I don't see any flag like 
'allow-recursion-override-exceptions', and I suspect that the fault lies 
in my design for our DNS system.  Is there a simple configuration change 
that will fix this problem?  Or should I rethink our design?



More information about the Pdns-users mailing list