[Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

Michael Loftis mloftis at wgops.com
Fri Dec 13 22:54:21 UTC 2013 

Ah...You actually *may* have hit a bug.  What version of powerdns and
what backend?  There's an issue on github, number 49, fixed in commit
number 549 according to the bug where PDNS was behaving similar to
this...if you dig for things *under* that subdomain eg
test.labisilon.lab.domain.com you get the correct response (NS and A
records w/ no AA bit indicating you must chase the delegation) -- but
when querying for the delegated domain, it returns the SOA and an AA
bit w/ NXDOMAIN indicating no such record.
https://github.com/PowerDNS/pdns/issues/49

Might actually be that bug you're seeing!  Sorry for the run around if
so, I didn't even know the bug existed until now.

This of course assumes correct records and all...which is why I had
you run all those digs...

On Fri, Dec 13, 2013 at 10:22 AM, Drew Decker <drewrockshard at gmail.com> wrote:
> Michael,
>
> the PowerDNS server IS the main recursor resolver and the IP of the PowerDNS
> server is actually in /etc/resolv.conf for all of the platform servers.  We
> no longer have any BIND servers in our infrastructure.
>
> Here are the dig outputs:
>
> $ dig @pdns01 NS labisilon.lab.domain.com
>
> ; <<>> DiG 9.8.3-P1 <<>> @pdns01 NS labisilon.lab.domain.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9680
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;labisilon.lab.domain.com. IN NS
>
> ;; AUTHORITY SECTION:
> lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com.
> 2013073047 86400 7200 604800 3600
>
> ;; Query time: 1 msec
>
> [~]
> ddecker$ dig @pdns01 A labisilon.lab.domain.com
>
> ; <<>> DiG 9.8.3-P1 <<>> @pdns01 A labisilon.lab.domain.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1337
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;labisilon.lab.domain.com. IN A
>
> ;; AUTHORITY SECTION:
> lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com.
> 2013073047 86400 7200 604800 3600
>
> ;; Query time: 0 msec
>
>
> --
> Drew Decker
> Sent with Airmail
>
> On December 13, 2013 at 12:08:35 PM, Michael Loftis (mloftis at wgops.com)
> wrote:
>
> No you definitely do not want to add an A record for
> labisilon.lab.domain.com to the powerdns server, that would cause it
> to always serve the A record. From the response information I take it
> the powerdns server isn't your recursive resolver (IE it's not whats
> in the /etc/resolv.conf or equivalent for your platform) - but from
> the output you've shown me the first half of the delegation is fine.
> The second half of the delegation must also exist or BIND in
> particular won't count it as valid (though the validation is lazy so
> you'll sometimes get an answer, but most of the time not) -- and hte
> second half is the matching NS record on the isilon, and the SOA
> (though the SOA is less important) -- you'll want to do the same dig
> @x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A
> labisilon.lab.domain.com - this is all part of diagnosing what
> actually *is* happening with this delegation. If the NS records aren't
> being returned from the isilon or the A or SOA isn't I can't really
> help you out there if those aren't there as I've never used the
> smartconnect product though there's a small chance I can get some
> information since we used their storage boxes at my present day job
> years back before I started (We literally have a couple racks worth of
> them sitting around after being decommissioned).
>
>
> ... reading a bit in...is securustech.net the actual domain? It has
> wild cards which would be causing all manner of hell for you, if the A
> record you're getting back is the same as I'm seeing from the outside
> - 69.43.161.163 - then that would explain your problems. Your
> recursive resolver is getting the wildcard answers from your outside
> nameservers.
>
> On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker <drewrockshard at gmail.com>
> wrote:
>> Same output -
>>
>> dig @psl-pdns01 A pslisilon.lab.securustech.net
>>
>> ; <<>> DiG 9.8.3-P1 <<>> @pdns01 A labisilon.lab.domain.com
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24930
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>>
>> ;; QUESTION SECTION:
>> ;labisilon.lab.domain.com. IN A
>>
>> ;; AUTHORITY SECTION:
>> labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com.
>>
>> ;; ADDITIONAL SECTION:
>> lab-isilon.lab.domain.com. 900 IN A x.x.x.x
>>
>> ;; Query time: 2 msec
>>
>> Do I need to specifically add an “A” record of labisilon.lab.domain.com ->
>> x.x.x.x?
>> --
>> Drew Decker
>> Sent with Airmail
>>
>> On December 13, 2013 at 10:18:10 AM, Michael Loftis (mloftis at wgops.com)
>> wrote:
>>
>> labisilon.lab.example.com
>
>
>
> --
>
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler



-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

More information about the Pdns-users mailing list