[Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

Drew Decker drewrockshard at gmail.com
Fri Dec 13 07:27:18 UTC 2013


Michael,

You are correct - my typo - it is labisilon (not simply isilon).

When I do “dig @pdns01 NS labisilon.lab.example.com" I get the following:

$ dig @psl-pdns01 ns pslisilon.lab.securustech.net

; <<>> DiG 9.8.3-P1 <<>> @psl-pdns01 ns pslisilon.lab.securustech.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53684
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;labisilon.lab.example.com.	IN	NS

;; AUTHORITY SECTION:
labisilon.lab.example.com. 900 IN	NS	lab-isilon.lab.example.com.

;; ADDITIONAL SECTION:
lab-isilon.lab.example.com.	900 IN	A	x.x.x.x

;; Query time: 59 msec

I don’t believe the records are overlapping according to this output but please correct me if I’m wrong on this.  

-- 
Drew Decker
Sent with Airmail

On December 13, 2013 at 12:35:02 AM, Michael Loftis (mloftis at wgops.com) wrote:

Is the delegated zone isilon or labisilon? I think you need to check the A, and NS records as you've mixed them up even in the email there. I would delegate a completely different sub domain than I would name the A record just to avoid such confusion, it sounds like you've got an NS and A records for the same name, which is why you're getting the static A record from powerdns. 

In your typed example you are using labisilon as the sub domain and lab-isilon as the A record and NS delegation...  What does dig NS labisilon.lab.example.com @1.2.3.4 give you? (Replace 1.2.3.4 with the pdns auth server ip address) you should get back two records, one NS type pointing to lab-isilon and one A type giving the address to send UDP/TCP queries to.

Sounds like that's where the problem is still. Your delegation shouldn't have any overlapping A records.... labisilon should be just an NS which points to lab-isilon, otherwise you get the behavior you described. Which is a broken delegation.

On Dec 12, 2013 9:54 PM, "Drew Decker" <drewrockshard at gmail.com> wrote:
Michael,

I think  you only read a few posts on this thread, so I’ll give you some details of what had/has been done up to this point, as I read your entire email and from what you are saying, I’ve already done (which is why I’m reaching out to the community) - correct me if I’m wrong.

I have a single zone: lab.example.com

The isilon needs a delegated zone for it to use, so we simply chose isilon.lab.example.com

From a PowerDNS perspective, lab.example.com lives on a single server pdns01 and the database server runs on its own dedicated hardware pdnsdb01.

A single zone was created - lab.example.com

We added the following DNS records to PowerDNS (in the lab.example.com zone):
labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com.
lab-isilon.lab.example.com. 900 IN A x.x.x.x
Once we added this, it still does not work; when we ping labisilon.lab.example.com, it returns the IP from lab-isilon.lab.example.com, which would be as expected, but since the “x.x.x.x” IP is a SmartConnect IP on the Isilon, it actually takes that IP gives a random IP (depends on how the Isilon is configured) back to the client. So, in our case, we basically round-robin it, so each new request to the isilon should give us a new IP, until we get to the end, and then we start over.   
I just need to know if I’m missing something here, and if not, maybe it is an issue with the Isilon, in this case. I just want to make sure that I’m setting up DNS delegation correctly in PowerDNS, or if I’m missing something PowerDNS specific.
Thanks for your continued input.

-- 
Drew Decker


On December 12, 2013 at 9:32:33 PM, Michael Loftis (mloftis at wgops.com) wrote:

The most common and obvious example of glue is when you have a TLD
such as GOV, COM, or EDU delegate your domain, your NS records usually
exist within your domain so glue must exist higher up, exact same
principal applies at every level where a delegation occurs. Say
isil.lab.example.com is served by the isilon. This is the delegated
subdomain. lab.example.com is served by other nameservers. The A
record you're using could be ns1.isil.lab.example.com, and so must
exist in both the isil.lab.example.com domain, AND the lab.example.com
domain, in two seperate nameservers.

You must have on BOTH the lab.example.com and the isil.lab.example.com
domains and nameservers.... A records for out of zone nameservers in
subdomains are called glue. Nothing magical. Everyone has some in
COM, GOV, EDU, ORG, etc. If you take a look at google.com, you'll see
ns1 through ns4.google.com -- those four A records exist in the COM
zone as glue. Likewise, all four of those A records served by the COM
nameservers are identical to the ones served by google.com
nameservers. Same thing has to happen on subdomains if the A record
points to something that exists inside the delegated domain.

ns1.isil.lab.example.com IN A 127.1.1.2
isil.lab.example.com IN NS ns1.isil.lab.example.com

And that leads into yet another pitfall, if those records are
mismatched, BIND and most other resolvers will decide someone is
trying to poison their cache and refuse to serve results for that
domain (or subdomain, there is not any distinction to BIND and
PowerDNS)




On Thu, Dec 12, 2013 at 4:48 PM, Drew Decker <drewrockshard at gmail.com> wrote:
> Michael,
>
> When you state "If the A records that the NS points to are in the subdomain,
> glue records must be created in the parent domain/zone." - can you elaborate
> on how to do this? Everything else that you mentioned is DNS 101 and has
> already been done. Explain to me how and what I need to do about the DNS
> glue records in PowerDNS and I'll give it a try.
>
> Thanks!
>
>
> On Thu, Dec 12, 2013 at 6:36 PM, Michael Loftis <mloftis at wgops.com> wrote:
>>
>> I must be missing something because this is DNS 101. Just create NS
>> records in the domain on the PDNS server that points at the isilon.
>> If the A records that the NS points to are in the subdomain, glue
>> records must be created in the parent domain/zone. There's no magic,
>> insert the two records into your PowerDNS authoratitive servers
>> records table, make sure that the clients can contact the isilon's UDP
>> and TCP port 53 (where the A record points to)
>>
>> If you're still having issues I suggest using dig +trace to see whats
>> going on, and dig in general to see if the isilon is even responding -
>> it really sounds like you've got a firewall issue that's keeping
>> anything from being able to contact the delegated-to nameserver.
>>
>> On Thu, Dec 12, 2013 at 4:17 PM, Drew Decker <drewrockshard at gmail.com>
>> wrote:
>> > Does anyone else know of a way to do this, or could give me some
>> > recommendations on how we could do this in or current configuration? We
>> > just need to be able to create a delegation in PowerDNS to use a
>> > different
>> > Nameserver on the actual isilon. We are basically delegating to the
>> > Isilon
>> > for a specific "subdomain".
>> >
>> > Thanks!
>> >
>> >
>> > On Wed, Dec 4, 2013 at 2:06 PM, ktm at rice.edu <ktm at rice.edu> wrote:
>> >>
>> >> On Wed, Dec 04, 2013 at 02:03:57PM -0600, Drew Decker wrote:
>> >> > Ken,
>> >> >
>> >> > Yea - I don't think this will work for us. Our domain is shared with
>> >> > the
>> >> > Isilon, so it would be lab.domain.com, and I don't want to forward
>> >> > the
>> >> > entire zone over to the Isilon.
>> >> >
>> >> > thanks!
>> >> >
>> >>
>> >> Yes, we put our Isilon in its own (sub)domain for exactly that reason.
>> >> It
>> >> made this easy. You could roll-your-own with lua in the recursor if a
>> >> separate
>> >> domain is not possible.
>> >>
>> >> Regards,
>> >> Ken
>> >
>> >
>> >
>> >
>> > --
>> > Best Regards,
>> > Drew Decker
>> >
>> > _______________________________________________
>> > Pdns-users mailing list
>> > Pdns-users at mailman.powerdns.com
>> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
>> >
>>
>>
>>
>> --
>>
>> "Genius might be described as a supreme capacity for getting its
>> possessors
>> into trouble of all kinds."
>> -- Samuel Butler
>
>
>
>
> --
> Best Regards,
> Drew Decker



--

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20131213/5305ce45/attachment-0001.html>


More information about the Pdns-users mailing list