[Pdns-users] PowerDNS Recursor forward-zones-file and recursion-desired

Alun James AJames at tibus.com
Thu Jan 10 09:04:43 UTC 2019

Hi Pieter, 

I guess it was mostly just my curiosity and misunderstanding of how it worked, thinking it might cause an issue. I did have one issue with one of the whitelisted  subnets where a client was running a full resolver, rather than a stub, and who could no longer resolve our domains. My understanding was that they kept matching the recursive whitelist and being sent to our resolver, thus never got an aa response. I removed them from the whitelist all was sorted. I could also have asked them to reconfigure as a stub pointing at our servers too.

No matter, I will continue and thanks for the response, it's all much clearer now.



-----Original Message-----
From: Pdns-users <pdns-users-bounces at mailman.powerdns.com> On Behalf Of Pieter Lexis
Sent: 10 January 2019 07:34
To: pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] PowerDNS Recursor forward-zones-file and recursion-desired

Hi Alun,

On 1/9/19 6:04 PM, Alun James wrote:
> Just having come confusion with the pdns-recursor forward-zones-file 
> settings, which I will describe..
> ... Set up description ...
> Externally, authoritative requests are working fine and dnsdist sends 
> correctly to localhost:5300 and the response has the “aa” flag. All good.
> Recursion is working fine from a whitelisted IP to external domains 
> OK…

That is indeed what I expected from the description :).

> However, I can no longer get a response from any zone on my Auth 
> server, as dnsdist see’s my IP as on the whitelist and keeps sending 
> me to the recursor rather than the auth and so I get a fail. To work 
> around this, my zones are also defined in the pdns-recursor config in 
> the forward-zone-file, which is included and correctly read on restart.
> Example from forward-zones-file:  tibus.net=

Also correct.

> I can now query this zone OK from a whitelisted IP and get a response, 
> however, I do not get “aa” flag, but instead “rd”.
> According to the documentation the zones listed in the 
> forward-zone-file will only have the recursion-desired bit set if they 
> are prefixed with a “+” (“Zones prefixed with a ‘+’ are forwarded with 
> the recursion-desired bit set”) I do not have this prefix, but yet the 
> bit is set.  Have I confused this settings meaning, misconfigured or 
> should I be getting an “aa” flag?

When the '+' is set in a forward-zones-file, the _outgoing_ query to the specified server has the RD-bit set.

Is there a reason your internal clients *need* the AA-bit set in the response, or was this merely curiosity? As long as the clients are stub-resolvers, your set-up looks as though it should work.



Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com

More information about the Pdns-users mailing list