[Pdns-users] PowerDNS Recursor forward-zones-file and recursion-desired
Alun James
AJames at tibus.com
Thu Jan 10 09:04:43 UTC 2019
Hi Pieter,
I guess it was mostly just my curiosity and misunderstanding of how it worked, thinking it might cause an issue. I did have one issue with one of the whitelisted subnets where a client was running a full resolver, rather than a stub, and who could no longer resolve our domains. My understanding was that they kept matching the recursive whitelist and being sent to our resolver, thus never got an aa response. I removed them from the whitelist all was sorted. I could also have asked them to reconfigure as a stub pointing at our servers too.
No matter, I will continue and thanks for the response, it's all much clearer now.
Cheers,
Alun.
-----Original Message-----
From: Pdns-users <pdns-users-bounces at mailman.powerdns.com> On Behalf Of Pieter Lexis
Sent: 10 January 2019 07:34
To: pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] PowerDNS Recursor forward-zones-file and recursion-desired
Hi Alun,
On 1/9/19 6:04 PM, Alun James wrote:
> Just having come confusion with the pdns-recursor forward-zones-file
> settings, which I will describe..
>
> ... Set up description ...
>
> Externally, authoritative requests are working fine and dnsdist sends
> correctly to localhost:5300 and the response has the “aa” flag. All good.
>
> Recursion is working fine from a whitelisted IP to external domains
> OK…
That is indeed what I expected from the description :).
> However, I can no longer get a response from any zone on my Auth
> server, as dnsdist see’s my IP as on the whitelist and keeps sending
> me to the recursor rather than the auth and so I get a fail. To work
> around this, my zones are also defined in the pdns-recursor config in
> the forward-zone-file, which is included and correctly read on restart.
>
> Example from forward-zones-file: tibus.net=127.0.0.1:5300
Also correct.
> I can now query this zone OK from a whitelisted IP and get a response,
> however, I do not get “aa” flag, but instead “rd”.
>
> According to the documentation the zones listed in the
> forward-zone-file will only have the recursion-desired bit set if they
> are prefixed with a “+” (“Zones prefixed with a ‘+’ are forwarded with
> the recursion-desired bit set”) I do not have this prefix, but yet the
> bit is set. Have I confused this settings meaning, misconfigured or
> should I be getting an “aa” flag?
When the '+' is set in a forward-zones-file, the _outgoing_ query to the specified server has the RD-bit set.
Is there a reason your internal clients *need* the AA-bit set in the response, or was this merely curiosity? As long as the clients are stub-resolvers, your set-up looks as though it should work.
Cheers,
Pieter
--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list