[Pdns-users] Why prefer recursor answers over auth Authoritative answers?
David Sparks
dave at ca.sophos.com
Wed Feb 4 22:45:57 UTC 2009
Why does PowerDNS auth server not answer queries that it is both authoritative
for, and has an answer for in its auth server when recursion is available and
requested?
Background:
I have setup a PowerDNS installation to replace a BIND installation. We have
run a split-horizon setup in BIND that has worked for many years. Since
PowerDNS does not support this I intend to continue to run BIND to answer the
Internet queries, and PowerDNS will answer the internal for both auth and
recursive.
PowerDNS auth server when queried for a record that it is both authoritative
for and exists will pass the query to the recursor if the recursion desired
flag is set (without doing any kind of lookup). What this means is queries
that could and should be answered by PowerDNS are passed onto the Internet
auth server. The answer from Internet auth server is from the wrong zone.
This behavior can be worked around by setting "allow-recursion-override=yes"
but then delegated subdomains no longer work. Why does the auth server pass
queries to the recursor instead of doing a first attempt to answer them?
Below is the output of 4 queries:
A plain query to PowerDNS is wrong. (2006 SOA comes from Internet auth server)
A query to PowerDNS with +norec is right. (2007 SOA from PowerDNS)
PowerDNS with allow-recursion-override=yes is right. (2007 SOA from PowerDNS)
BIND9 is right. (2007 SOA from BIND internal view)
------------------------------------------
allow-recursion-override=no - wrong answer
~ # dig -t soa ahost.example.com @10.0.0.12
; <<>> DiG 9.4.1-P1 <<>> -t soa ahost.example.com @10.0.0.12
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3198
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ahost.example.com. IN SOA
;; AUTHORITY SECTION:
example.com. 0 IN SOA ns1.example.com.
postmaster.example.com. 2006030201 3600 900 2419200 900
-----------------------------------------------------------
allow-recursion-override=no but +norec on dig: right answer
~ # dig +norec -t soa ahost.example.com @10.0.0.12
; <<>> DiG 9.4.1-P1 <<>> +norec -t soa ahost.example.com @10.0.0.12
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64492
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ahost.example.com. IN SOA
;; AUTHORITY SECTION:
example.com. 60 IN SOA ns1.example.com.
hostmaster.example.com. 2007041200 60 60 60 60
-------------------------------------------
allow-recursion-override=yes - right answer
~ # dig -t soa ahost.example.com @10.0.0.11
; <<>> DiG 9.4.1-P1 <<>> -t soa ahost.example.com @10.0.0.11
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40863
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ahost.example.com. IN SOA
;; AUTHORITY SECTION:
example.com. 60 IN SOA ns1.example.com.
hostmaster.example.com. 2007041200 60 60 60 60
--------------------
BIND9 - right answer
~ # dig -t soa ahost.example.com @10.0.0.19
; <<>> DiG 9.4.1-P1 <<>> -t soa ahost.example.com @10.0.0.19
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63338
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ahost.example.com. IN SOA
;; AUTHORITY SECTION:
example.com. 60 IN SOA ns1.example.com.
postmaster.example.com. 2007041200 60 60 60 60
DNS server legend:
allow-recursion-override=yes 10.0.0.11
allow-recursion-override=no 10.0.0.12
bind9 10.0.0.19
More information about the Pdns-users
mailing list