[Pdns-users] NS delegation problems

Stefan Schmidt zaphodb at zaphods.net
Wed Feb 4 13:57:13 UTC 2015

On 2015-02-04 14:00, James Cornman wrote:
>>  [james at eng:~] % dig @ [2]
>>> ptr
>>> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>> ;   IN      PTR
>>> 3600 IN    NS
>>>  ns17.bitronictech.net.
> It indeed returns with the authoritative answer, but I believe my
> expectation was that since recursion is desired, and there is a
> pdns-recursor available, that it would do the deed.  Mainly that dig or
> nslookup off of the pdns-authoritative server, with recursion enabled,
> would end up with an actual PTR answer. You mention that BIND just 
> happens
> to do both at the same time..is that something that PDNS can't do, or
> something I'm doing wrong, or in general a false perception of what is
> right?

For recursion to become available on the authoritative Server (i.e. 
pdns-server) the config variables
will have to be set accordingly.
However it is discouraged to do recursion with the auth Server because 
it leads to exactly the kind of confusion you ran into.
Also http://cr.yp.to/djbdns/separation.html lists some good reasons for 
keeping those two services separated from each other.
BIND9 also changed its default behaviour in that regard. ( 

> Here you ask with the "rd" aka recursion desired flag and it appears 
> that
>> your BIND Server is indeed configured to recurse for you and go ask
>> ns17.bitronictech.net about the PTR for 
>> This
>> is now recursive DNS works, however it is not how authoritative DNS 
>> works.
>> BIND just happens to do both at the same time.
> Querying the pdns-recursor directly does return the proper result, 
> however
> ARIN isn't set to point to this pool of pdns servers and thus this
> recursion is likely interacting with BIND which is still authoritative 
> for
> the reverse in-addr.arpa zone....none of which helps my troubleshooting

Correct, if the ARIN nameservers are still pointing to the IPs of your 
BIND9 setup then there is no easy way to test if your new setup works 
with recursive nameservers.
As i said already you could tell your recursive Server to ask the IP of 
your PowerDNS auth setup directly, thus bypassing the ARIN delegation.
In PowerDNS recursor you could do that with the 
For example put
in your recursor.conf.


More information about the Pdns-users mailing list