[Pdns-users] NS delegation problems
Stefan Schmidt
zaphodb at zaphods.net
Wed Feb 4 13:57:13 UTC 2015
On 2015-02-04 14:00, James Cornman wrote:
>> [james at eng:~] % dig @10.250.50.237 [2] 100.94.145.204.in-addr.arpa
>>> ptr
>>>
>>> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @10.250.50.237
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;100.94.145.204.in-addr.arpa. IN PTR
>>>
>>> ;; AUTHORITY SECTION:
>>> 100.94.145.204.in-addr.arpa. 3600 IN NS
>>> ns17.bitronictech.net.
>>>
>>
> It indeed returns with the authoritative answer, but I believe my
> expectation was that since recursion is desired, and there is a
> pdns-recursor available, that it would do the deed. Mainly that dig or
> nslookup off of the pdns-authoritative server, with recursion enabled,
> would end up with an actual PTR answer. You mention that BIND just
> happens
> to do both at the same time..is that something that PDNS can't do, or
> something I'm doing wrong, or in general a false perception of what is
> right?
For recursion to become available on the authoritative Server (i.e.
pdns-server) the config variables
https://doc.powerdns.com/md/authoritative/settings/#recursor
and
https://doc.powerdns.com/md/authoritative/settings/#allow-recursion
will have to be set accordingly.
However it is discouraged to do recursion with the auth Server because
it leads to exactly the kind of confusion you ran into.
Also http://cr.yp.to/djbdns/separation.html lists some good reasons for
keeping those two services separated from each other.
BIND9 also changed its default behaviour in that regard. (
https://kb.isc.org/article/AA-00269/0/What-has-changed-in-the-behavior-of-allow-recursion-and-allow-query-cache.html
)
> Here you ask with the "rd" aka recursion desired flag and it appears
> that
>> your BIND Server is indeed configured to recurse for you and go ask
>> ns17.bitronictech.net about the PTR for 100.94.145.204.in-addr.arpa.
>> This
>> is now recursive DNS works, however it is not how authoritative DNS
>> works.
>> BIND just happens to do both at the same time.
>>
> Querying the pdns-recursor directly does return the proper result,
> however
> ARIN isn't set to point to this pool of pdns servers and thus this
> recursion is likely interacting with BIND which is still authoritative
> for
> the reverse in-addr.arpa zone....none of which helps my troubleshooting
Correct, if the ARIN nameservers are still pointing to the IPs of your
BIND9 setup then there is no easy way to test if your new setup works
with recursive nameservers.
As i said already you could tell your recursive Server to ask the IP of
your PowerDNS auth setup directly, thus bypassing the ARIN delegation.
In PowerDNS recursor you could do that with the
https://doc.powerdns.com/md/recursor/settings/#forward-zones-recurse
option.
For example put
forward-zones-recurse=94.145.204.in-addr.arpa=10.250.50.237
in your recursor.conf.
Stefan
More information about the Pdns-users
mailing list