[Pdns-users] "recursion not available" for authoritative domain, but recursion for everything else works?

Tony Maro tonymaro at gmail.com
Sun Feb 22 18:30:09 UTC 2009

Here's what I've done...

I've set up two PowerDNS authoritative servers using an LDAP replicated
backend, serving an internal Intranet DNS (outside on the Internet is
domain.com, inside is inside.domain.com for example)

I installed the recursor server on each of the authoritative pdns machines,
answering to port 54.  I pointed the authoritative servers to recursor=   Each recursor has "local-address=" and

The primary server is, and the secondary server (running off the
ldap replication server) is

Unfortunately I also have a legacy Windows Active Directory domain that I'm
in the process of phasing out.  I've configured the Windows 2003 AD DNS
server to use and for all recursion, since I can't
wholesale replace the Windows DNS until those workstations are migrated

Here's how my DNS lookups progress:
Linux workstation -> PDNS Authoritative for internal.domain.com -> PDNS
Windows workstation - > AD Domain server DNS for internal.someother.com - >
PDNS Authoritative for internal.domain.com -> PDNS recursor  (temporary
This allows the Windows workstations to query their required A/D server and
still get answers on the second internal domain names - the Linux stations
really could care less about the Windows DNS names.  All external recursion
is handled by pdns-recursor.

Both pdns servers are configured identically, just pointed to their own
machine for the ldap backend.

>From one particular machine on the network, sometimes it will get a response

$nslookup firewall.inside.domain.com
*;; Got recursion not available from, trying next server*

Name:   firewall.inside.domain.com

When this happens, *any machine asking for what SHOULD be an authoritative
answer from will not resolve*, BUT what's weird is that any
address not known to my domain is being answered from the recursor on - which is only reachable from the authoritative server at - which just reported recursion not available... ?

So why would the authoritative server not be answering in an authoritative
way for it's own domain?

What's even more strange is this:

$ nslookup firewall.inside.domain.com
*;; Got recursion not available from, trying next server*

Name:    thinfire.inside.domain.com

$ nslookup firewall.inside.domain.com

Name:    firewall.inside.domain.com

And to convolute it even more...
If I restart the pdns authoritative server on it will resolve
names fine for a while even through the Windows server recursing to it - but
sooner or later it will end up failing lookups again.  The "Got recursion
not available" error goes away after the restart, for a while.

More details:
Primary PowerDNS server is Ubuntu 8.10.  Backup server is Ubuntu 8.04.
Both authoritative servers have:


Both recursor's have:


Neither server is logging anything interesting in syslog.

The windows server is authoritative for a separate
internal.anotherdomain.com (which is being phased out) so I can't just
eliminate it right now.

If I can't get this solved I'll have to go back to bind9 without the LDAP

Tony Maro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20090222/9605b17f/attachment.html>

More information about the Pdns-users mailing list