[Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

Michael Loftis mloftis at wgops.com
Fri Dec 13 16:18:10 UTC 2013 

So there is no A record for labisilon.lab.example.com in the pdns01 name
server? (What's the dig output when you request the A record for the
delegated domain?)
Michael,

You are correct - my typo - it is labisilon (not simply isilon).

When I do “dig @pdns01 NS labisilon.lab.example.com" I get the following:

$ dig @psl-pdns01 ns pslisilon.lab.securustech.net

; <<>> DiG 9.8.3-P1 <<>> @psl-pdns01 ns pslisilon.lab.securustech.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53684
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;labisilon.lab.example.com. IN NS

;; AUTHORITY SECTION:
labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com.

;; ADDITIONAL SECTION:
lab-isilon.lab.example.com. 900 IN A x.x.x.x

;; Query time: 59 msec

I don’t believe the records are overlapping according to this output but
please correct me if I’m wrong on this.

-- 
Drew Decker
Sent with Airmail <http://airmailapp.com/tracking>

On December 13, 2013 at 12:35:02 AM, Michael Loftis
(mloftis at wgops.com<//mloftis at wgops.com>)
wrote:

Is the delegated zone isilon or labisilon? I think you need to check the A,
and NS records as you've mixed them up even in the email there. I would
delegate a completely different sub domain than I would name the A record
just to avoid such confusion, it sounds like you've got an NS and A records
for the same name, which is why you're getting the static A record from
powerdns.

In your typed example you are using labisilon as the sub domain and
lab-isilon as the A record and NS delegation...  What does dig NS
labisilon.lab.example.com @1.2.3.4 give you? (Replace 1.2.3.4 with the pdns
auth server ip address) you should get back two records, one NS type
pointing to lab-isilon and one A type giving the address to send UDP/TCP
queries to.

Sounds like that's where the problem is still. Your delegation shouldn't
have any overlapping A records.... labisilon should be just an NS which
points to lab-isilon, otherwise you get the behavior you described. Which
is a broken delegation.
On Dec 12, 2013 9:54 PM, "Drew Decker" <drewrockshard at gmail.com> wrote:

>  Michael,
>
>  I think  you only read a few posts on this thread, so I’ll give you some
> details of what had/has been done up to this point, as I read your entire
> email and from what you are saying, I’ve already done (which is why I’m
> reaching out to the community) - correct me if I’m wrong.
>
>  I have a single zone: *lab.example.com <http://lab.example.com>*
>
>  The isilon needs a delegated zone for it to use, so we simply chose *isilon.lab.example.com
> <http://isilon.lab.example.com>*
>
>  From a PowerDNS perspective, *lab.example.com <http://lab.example.com>*lives on a single server
> *pdns01* and the database server runs on its own dedicated hardware
> *pdnsdb01*.
>
>  A single zone was created - *lab.example.com <http://lab.example.com>*
>
>  We added the following DNS records to PowerDNS (in the *lab.example.com
> <http://lab.example.com>* zone):
>
> labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com.lab-isilon.lab.example.com. 900 IN A x.x.x.x
>
> Once we added this, it still does not work; when we ping labisilon.lab.example.com, it returns the IP from lab-isilon.lab.example.com, which would be as expected, but since the “x.x.x.x” IP is a SmartConnect IP on the Isilon, it actually takes that IP gives a random IP (depends on how the Isilon is configured) back to the client.  So, in our case, we basically round-robin it, so each new request to the isilon should give us a new IP, until we get to the end, and then we start over.
>
> I just need to know if I’m missing something here, and if not, maybe it is an issue with the Isilon, in this case.  I just want to make sure that I’m setting up DNS delegation correctly in PowerDNS, or if I’m missing something PowerDNS specific.
>
>  Thanks for your continued input.
>
> --
> Drew Decker
>
>
> On December 12, 2013 at 9:32:33 PM, Michael Loftis (mloftis at wgops.com<//mloftis at wgops.com>)
> wrote:
>
>  The most common and obvious example of glue is when you have a TLD
> such as GOV, COM, or EDU delegate your domain, your NS records usually
> exist within your domain so glue must exist higher up, exact same
> principal applies at every level where a delegation occurs. Say
> isil.lab.example.com is served by the isilon. This is the delegated
> subdomain. lab.example.com is served by other nameservers. The A
> record you're using could be ns1.isil.lab.example.com, and so must
> exist in both the isil.lab.example.com domain, AND the lab.example.com
> domain, in two seperate nameservers.
>
> You must have on BOTH the lab.example.com and the isil.lab.example.com
> domains and nameservers.... A records for out of zone nameservers in
> subdomains are called glue. Nothing magical. Everyone has some in
> COM, GOV, EDU, ORG, etc. If you take a look at google.com, you'll see
> ns1 through ns4.google.com -- those four A records exist in the COM
> zone as glue. Likewise, all four of those A records served by the COM
> nameservers are identical to the ones served by google.com
> nameservers. Same thing has to happen on subdomains if the A record
> points to something that exists inside the delegated domain.
>
> ns1.isil.lab.example.com IN A 127.1.1.2
> isil.lab.example.com IN NS ns1.isil.lab.example.com
>
> And that leads into yet another pitfall, if those records are
> mismatched, BIND and most other resolvers will decide someone is
> trying to poison their cache and refuse to serve results for that
> domain (or subdomain, there is not any distinction to BIND and
> PowerDNS)
>
>
>
>
> On Thu, Dec 12, 2013 at 4:48 PM, Drew Decker <drewrockshard at gmail.com>
> wrote:
> > Michael,
> >
> > When you state "If the A records that the NS points to are in the
> subdomain,
> > glue records must be created in the parent domain/zone." - can you
> elaborate
> > on how to do this? Everything else that you mentioned is DNS 101 and has
> > already been done. Explain to me how and what I need to do about the DNS
> > glue records in PowerDNS and I'll give it a try.
> >
> > Thanks!
> >
> >
> > On Thu, Dec 12, 2013 at 6:36 PM, Michael Loftis <mloftis at wgops.com>
> wrote:
> >>
> >> I must be missing something because this is DNS 101. Just create NS
> >> records in the domain on the PDNS server that points at the isilon.
> >> If the A records that the NS points to are in the subdomain, glue
> >> records must be created in the parent domain/zone. There's no magic,
> >> insert the two records into your PowerDNS authoratitive servers
> >> records table, make sure that the clients can contact the isilon's UDP
> >> and TCP port 53 (where the A record points to)
> >>
> >> If you're still having issues I suggest using dig +trace to see whats
> >> going on, and dig in general to see if the isilon is even responding -
> >> it really sounds like you've got a firewall issue that's keeping
> >> anything from being able to contact the delegated-to nameserver.
> >>
> >> On Thu, Dec 12, 2013 at 4:17 PM, Drew Decker <drewrockshard at gmail.com>
> >> wrote:
> >> > Does anyone else know of a way to do this, or could give me some
> >> > recommendations on how we could do this in or current configuration?
> We
> >> > just need to be able to create a delegation in PowerDNS to use a
> >> > different
> >> > Nameserver on the actual isilon. We are basically delegating to the
> >> > Isilon
> >> > for a specific "subdomain".
> >> >
> >> > Thanks!
> >> >
> >> >
> >> > On Wed, Dec 4, 2013 at 2:06 PM, ktm at rice.edu <ktm at rice.edu> wrote:
> >> >>
> >> >> On Wed, Dec 04, 2013 at 02:03:57PM -0600, Drew Decker wrote:
> >> >> > Ken,
> >> >> >
> >> >> > Yea - I don't think this will work for us. Our domain is shared
> with
> >> >> > the
> >> >> > Isilon, so it would be lab.domain.com, and I don't want to forward
> >> >> > the
> >> >> > entire zone over to the Isilon.
> >> >> >
> >> >> > thanks!
> >> >> >
> >> >>
> >> >> Yes, we put our Isilon in its own (sub)domain for exactly that
> reason.
> >> >> It
> >> >> made this easy. You could roll-your-own with lua in the recursor if a
> >> >> separate
> >> >> domain is not possible.
> >> >>
> >> >> Regards,
> >> >> Ken
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Best Regards,
> >> > Drew Decker
> >> >
> >> > _______________________________________________
> >> > Pdns-users mailing list
> >> > Pdns-users at mailman.powerdns.com
> >> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> >> >
> >>
> >>
> >>
> >> --
> >>
> >> "Genius might be described as a supreme capacity for getting its
> >> possessors
> >> into trouble of all kinds."
> >> -- Samuel Butler
> >
> >
> >
> >
> > --
> > Best Regards,
> > Drew Decker
>
>
>
> --
>
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20131213/92aa7449/attachment-0001.html>

More information about the Pdns-users mailing list