[Pdns-users] PowerDNS Recursor forward-zones-file and recursion-desired

Pieter Lexis pieter.lexis at powerdns.com
Thu Jan 10 07:34:28 UTC 2019

Hi Alun,

On 1/9/19 6:04 PM, Alun James wrote:
> Just having come confusion with the pdns-recursor forward-zones-file
> settings, which I will describe..
> ... Set up description ...
> Externally, authoritative requests are working fine and dnsdist sends
> correctly to localhost:5300 and the response has the “aa” flag. All good.
> Recursion is working fine from a whitelisted IP to external domains OK…

That is indeed what I expected from the description :).

> However, I can no longer get a response from any zone on my Auth server,
> as dnsdist see’s my IP as on the whitelist and keeps sending me to the
> recursor rather than the auth and so I get a fail. To work around this,
> my zones are also defined in the pdns-recursor config in the
> forward-zone-file, which is included and correctly read on restart.
> Example from forward-zones-file:  tibus.net=

Also correct.

> I can now query this zone OK from a whitelisted IP and get a response,
> however, I do not get “aa” flag, but instead “rd”.
> According to the documentation the zones listed in the forward-zone-file
> will only have the recursion-desired bit set if they are prefixed with a
> “+” (“Zones prefixed with a ‘+’ are forwarded with the recursion-desired
> bit set”) I do not have this prefix, but yet the bit is set.  Have I
> confused this settings meaning, misconfigured or should I be getting an
> “aa” flag?

When the '+' is set in a forward-zones-file, the _outgoing_ query to the
specified server has the RD-bit set.

Is there a reason your internal clients *need* the AA-bit set in the
response, or was this merely curiosity? As long as the clients are
stub-resolvers, your set-up looks as though it should work.



Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list