[Pdns-users] Delegation not working

David opendak at shaw.ca
Thu May 4 18:47:46 UTC 2017


On 2017-05-04 4:05 AM, Julian Kippels wrote:
> Hi,
>
> I am using powerdns 3.4.11 with postgres authorative backend and
> recursor 3.7.4 as a slave to another DNS server. I have set up my main
> domain and would like to delegate all traffic for a subdomain to yet a
> different nameserver (Active Directory).
>
> This is my domains table:
>> select * from domains;
>  id |  name  |    master    | last_check | type  | notified_serial | account
> ----+--------+--------------+------------+-------+-----------------+---------
>   1 | hhu.de | 134.99.128.2 | 1493888644 | SLAVE |                 |
>
> This is the entry for the subdomain I want to delegate:
>> select * from records where name ~ '.*ad.hhu.de';
>  id  | domain_id |          name          | type |        content         |  ttl  | prio | change_date | disabled | ordername | auth
> -----+-----------+------------------------+------+------------------------+-------+------+-------------+----------+-----------+------
>    6 |         1 | ad.hhu.de              | NS   | svr-hhu-dc-1.ad.hhu.de | 86400 |    0 |             | f        |           | t
>    7 |         1 | ad.hhu.de              | NS   | svr-hhu-dc-2.ad.hhu.de | 86400 |    0 |             | f        |           | t
>  313 |         1 | svr-hhu-dc-1.ad.hhu.de | A    | 134.99.108.150         | 86400 |    0 |             | f        |           | t
>  314 |         1 | svr-hhu-dc-2.ad.hhu.de | A    | 134.99.108.151         | 86400 |    0 |             | f        |           | t
>
> and
>
>   1 |         1 | hhu.de | SOA  | sirene.rz.uni-duesseldorf.de.
>   hostmaster.uni-duesseldorf.de. 2017042701 28800 14400 2592000 25200 |
>   86400 |    0 |             | f        |           | t
>
> When I use dig to get a name from ad.hhu.de I get no answer:
>
>> dig @localhost ldaps.ad.hhu.de
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> @localhost ldaps.ad.hhu.de
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3914
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1680
> ;; QUESTION SECTION:
> ;ldaps.ad.hhu.de.               IN      A
>
> ;; AUTHORITY SECTION:
> ad.hhu.de.              86400   IN      NS      svr-hhu-dc-2.ad.hhu.de.
> ad.hhu.de.              86400   IN      NS      svr-hhu-dc-1.ad.hhu.de.
>
> ;; ADDITIONAL SECTION:
> svr-hhu-dc-2.ad.hhu.de. 86400   IN      A       134.99.108.151
> svr-hhu-dc-1.ad.hhu.de. 86400   IN      A       134.99.108.150
>
> ;; Query time: 7 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Do Mai 04 11:34:41 CEST 2017
> ;; MSG SIZE  rcvd: 130
>
> This configuration was imported from a BIND server which returns the correct address.
>
> My configuration looks like this:
> pdns.conf:
> setuid=pdns
> setgid=pdns
> launch=gpgsql
> gpgsql-dbname=pdns
> gpgsql-user=pdns
> gpgsql-password=xxxx
> recursor=127.0.0.1:5300
> master=yes
> slave=yes
> allow-axfr-ips=134.99.128.2/32, 134.99.128.5/32, (....)
> allow-recursion=134.99.0.0/16, 172.16.0.0/12, 192.168.254.0/24, 10.88.2.8/31, 10.82.0.0/16, 10.87.16.0/20, 80.153.104.53/32, 80.152.209.115/32
> log-dns-details=yes
> log-dns-queries=yes
> loglevel=5
>
> recursor.conf:
> setuid=pdns-recursor
> setgid=pdns-recursor
> local-port=5300
>
> I can't see why the delegation would fail. Any help would be appreciated.

This isn't a recommendation configuration in the first place (and will 
stop working in future versions) but probably because you aren't 
allowing your loopbacks in your allow-recursion statement?

>
> Thanks in advance
> Julian
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>



More information about the Pdns-users mailing list