[Pdns-users] NS delegation problems

Wed Feb 4 14:25:30 UTC 2015

I set the forward-zones-recurse option and it seems to be working
correctly. It makes me question if the understanding of the query flow is
just all wrong. I will pursue separating authoritative and recursive since
this isn't working as expected. I guess I'm curious why the recursor
options are even present if this functionality doesnt work for any zones
that are authoritative. All other recursion is working with exception to
zones we're authoritative of that need additional recursion.  I'll review
the materials you suggested to get some more insight though it seems to
stand that some additional clarification might be necessary for the pdns
documentation :)

I appreciate the help. Thank you.

On Wed, Feb 4, 2015 at 8:57 AM, Stefan Schmidt <zaphodb at zaphods.net> wrote:

> On 2015-02-04 14:00, James Cornman wrote:
>
>>  [james at eng:~] % dig @10.250.50.237 [2] 100.94.145.204.in-addr.arpa
>>>
>>>> ptr
>>>>
>>>> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @10.250.50.237
>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>>>
>>>> ;; QUESTION SECTION:
>>>> ;100.94.145.204.in-addr.arpa.   IN      PTR
>>>>
>>>> ;; AUTHORITY SECTION:
>>>> 100.94.145.204.in-addr.arpa. 3600 IN    NS
>>>>  ns17.bitronictech.net.
>>>>
>>>>
>>>  It indeed returns with the authoritative answer, but I believe my
>> expectation was that since recursion is desired, and there is a
>> pdns-recursor available, that it would do the deed.  Mainly that dig or
>> nslookup off of the pdns-authoritative server, with recursion enabled,
>> would end up with an actual PTR answer. You mention that BIND just happens
>> to do both at the same time..is that something that PDNS can't do, or
>> something I'm doing wrong, or in general a false perception of what is
>> right?
>>
>
> For recursion to become available on the authoritative Server (i.e.
> pdns-server) the config variables
> https://doc.powerdns.com/md/authoritative/settings/#recursor
> and
> https://doc.powerdns.com/md/authoritative/settings/#allow-recursion
> will have to be set accordingly.
> However it is discouraged to do recursion with the auth Server because it
> leads to exactly the kind of confusion you ran into.
> Also http://cr.yp.to/djbdns/separation.html lists some good reasons for
> keeping those two services separated from each other.
> BIND9 also changed its default behaviour in that regard. (
> https://kb.isc.org/article/AA-00269/0/What-has-changed-in-
> the-behavior-of-allow-recursion-and-allow-query-cache.html )
>
>  Here you ask with the "rd" aka recursion desired flag and it appears that
>>
>>> your BIND Server is indeed configured to recurse for you and go ask
>>> ns17.bitronictech.net about the PTR for 100.94.145.204.in-addr.arpa.
>>> This
>>> is now recursive DNS works, however it is not how authoritative DNS
>>> works.
>>> BIND just happens to do both at the same time.
>>>
>>>  Querying the pdns-recursor directly does return the proper result,
>> however
>> ARIN isn't set to point to this pool of pdns servers and thus this
>> recursion is likely interacting with BIND which is still authoritative for
>> the reverse in-addr.arpa zone....none of which helps my troubleshooting
>>
>
> Correct, if the ARIN nameservers are still pointing to the IPs of your
> BIND9 setup then there is no easy way to test if your new setup works with
> recursive nameservers.
> As i said already you could tell your recursive Server to ask the IP of
> your PowerDNS auth setup directly, thus bypassing the ARIN delegation.
> In PowerDNS recursor you could do that with the
> https://doc.powerdns.com/md/recursor/settings/#forward-zones-recurse
> option.
> For example put
> forward-zones-recurse=94.145.204.in-addr.arpa=10.250.50.237
> in your recursor.conf.
>
>  Stefan
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20150204/eaf368f4/attachment-0001.html>