[Pdns-users] Delegation of subdomain when allow-recursion-override=on

Wed Jan 20 19:38:27 UTC 2010

On Jan 19, 2010, at 2:08 PM, bert hubert wrote:
> I briefly thought you were Anthony Mangieri ;-) But he has better things to
> do than manage DNS.

I have neither his skill nor the tattoos. But in my quest for that ultimate pie, I built a wood-fired oven in my backyard last summer. Still a grasshopper. There is much to learn. In the mean time, why not do the next best thing -- configure pdns :-)

> 
> Can you show an AXFR of your foobar.com domain? I'm not too aware of the
> exact workings of the LDAP backend, so I need to see if your problem is
> simply DNS related.

Sorry, I can't do axfr because I have ldap-method=strict. It won't do it. But I have solved this problem in a different way. Before I explain that solution, please be aware that this issue seems to have nothing to do with subdomain per se. If in my example, instead of sub.foobar.com, if I try to delegate anything.com via LDAP NS record, it won't work either. So I think either LDAP backend doesn't like to delegate or I'm not setting something right.

Anyway, here is my current solution:
I removed recursion override in pdns.conf. Because of this all queries that are unfulfilled by pdns kick out to the recursor (which runs on the same machine).
I set up forward-zones in recursor to go to the BIND server for sub.foobar.com.
The side effect of this of course is that unfulfilled queries in foobar.com also get out to the recursor, which then kicks it out to the evil outside world for resolution. To avoid this leak, I set up forward-zones for foobar.com to point back to the ldap pdns. I was worried that this would result in some loop, but it didn't. Now I have no leaks to the outside due to recursion override being off, and I get to delegate sub.foobar.com to another server.

I hope this pointing back from recursor is OK. What do you think?

Thanks
Srini Sankaran

> 
> Thanks.
> 
> 	Bert
> 
> 
> On Sun, Jan 17, 2010 at 09:00:56PM -0800, Pizza Napoletana wrote:
>> I am sorry, I made a mistake in my prior post. I said that the NS record for sub.foobar.com is followed when recursion-override is off. That's not true. The reason it works in the override=off case is because I have a "forward-zones" line in recursor.conf for sub.foobar.com.
>> 
>> So, may be my NS record isn't set right for sub.foobar.com in LDAP. But I am setting it pretty similar to how I do it for foobar.com, except that it points to the other server that serves up sub.foobar.com.
>> 
>> Thanks for your help.
>> 
>> On Jan 17, 2010, at 5:24 PM, Pizza Napoletana wrote:
>> 
>>> I am using ldap backend with pdns 2.9.22_2 on FreeBSD 7.0.
>>> 
>>> I serve foobar.com from this server. Everything is great.
>>> I serve sub.foobar.com from another (non-pdns) server. That's fine too, by itself.
>>> Now, I want the foobar.com pdns server to redirect sub.foobar.com queries to the other server.
>>> 
>>> So, I created an NS record on LDAP for sub.foobar.com.
>>> But the pdns server refuses to query the other server when I do lookups for names in sub.foobar.com domain, IF I set allow-recursion-override=on.
>>> If I don't set recursion override, then things are OK. However, I want the recursion-override behavior for other situations.
>>> 
>>> So....
>>> Is there a way for me to have recursion override, as well as make pdns follow the NS record to another server for a subdomain?
>>> 
>>> Thanks
>>> 
>>> 
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com
>>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>> 
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>> 