[Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Drew Decker
drewrockshard at gmail.com
Fri Dec 13 18:22:17 UTC 2013
Michael,
the PowerDNS server IS the main recursor resolver and the IP of the PowerDNS server is actually in /etc/resolv.conf for all of the platform servers. We no longer have any BIND servers in our infrastructure.
Here are the dig outputs:
$ dig @pdns01 NS labisilon.lab.domain.com
; <<>> DiG 9.8.3-P1 <<>> @pdns01 NS labisilon.lab.domain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9680
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;labisilon.lab.domain.com. IN NS
;; AUTHORITY SECTION:
lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com. 2013073047 86400 7200 604800 3600
;; Query time: 1 msec
[~]
ddecker$ dig @pdns01 A labisilon.lab.domain.com
; <<>> DiG 9.8.3-P1 <<>> @pdns01 A labisilon.lab.domain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1337
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;labisilon.lab.domain.com. IN A
;; AUTHORITY SECTION:
lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com. 2013073047 86400 7200 604800 3600
;; Query time: 0 msec
--
Drew Decker
Sent with Airmail
On December 13, 2013 at 12:08:35 PM, Michael Loftis (mloftis at wgops.com) wrote:
No you definitely do not want to add an A record for
labisilon.lab.domain.com to the powerdns server, that would cause it
to always serve the A record. From the response information I take it
the powerdns server isn't your recursive resolver (IE it's not whats
in the /etc/resolv.conf or equivalent for your platform) - but from
the output you've shown me the first half of the delegation is fine.
The second half of the delegation must also exist or BIND in
particular won't count it as valid (though the validation is lazy so
you'll sometimes get an answer, but most of the time not) -- and hte
second half is the matching NS record on the isilon, and the SOA
(though the SOA is less important) -- you'll want to do the same dig
@x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A
labisilon.lab.domain.com - this is all part of diagnosing what
actually *is* happening with this delegation. If the NS records aren't
being returned from the isilon or the A or SOA isn't I can't really
help you out there if those aren't there as I've never used the
smartconnect product though there's a small chance I can get some
information since we used their storage boxes at my present day job
years back before I started (We literally have a couple racks worth of
them sitting around after being decommissioned).
... reading a bit in...is securustech.net the actual domain? It has
wild cards which would be causing all manner of hell for you, if the A
record you're getting back is the same as I'm seeing from the outside
- 69.43.161.163 - then that would explain your problems. Your
recursive resolver is getting the wildcard answers from your outside
nameservers.
On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker <drewrockshard at gmail.com> wrote:
> Same output -
>
> dig @psl-pdns01 A pslisilon.lab.securustech.net
>
> ; <<>> DiG 9.8.3-P1 <<>> @pdns01 A labisilon.lab.domain.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24930
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;labisilon.lab.domain.com. IN A
>
> ;; AUTHORITY SECTION:
> labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com.
>
> ;; ADDITIONAL SECTION:
> lab-isilon.lab.domain.com. 900 IN A x.x.x.x
>
> ;; Query time: 2 msec
>
> Do I need to specifically add an “A” record of labisilon.lab.domain.com ->
> x.x.x.x?
> --
> Drew Decker
> Sent with Airmail
>
> On December 13, 2013 at 10:18:10 AM, Michael Loftis (mloftis at wgops.com)
> wrote:
>
> labisilon.lab.example.com
--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20131213/5f2c2893/attachment-0001.html>
More information about the Pdns-users
mailing list