[Pdns-users] Failures of recursor from within pod/coredns OR dig

Alessandro Dentella sandro.dentella at gmail.com
Thu Oct 21 15:21:07 UTC 2021 

Hi Pieter,
Thanks fot your attention.

On Thu, Oct 21, 2021 at 10:13:59AM +0200, Pieter Lexis via Pdns-users wrote:
> Hi Alessandro,
> 
> On 10/20/21 23:42, Alessandro Dentella via Pdns-users wrote:
> > If I operate from the node (as opposed to within the container), I notice that
> > `host` always work while dig does not:
> 
> Please don't use `host`, it can mask issues.
> 
> > I tried setting:
> > 
> >   edns-subnet-allow-list=thux.lan
> > 
> > but the problem persists. Can I configure PowerDNS recursor so that it answers
> > correctly to coredns and dig?
> 
> Can you show your full recursor.conf?

It's almost all defults::

    local-address=0.0.0.0,::
    forward-zones=thux.lan=212.31.253.25
    trace=yes
    edns-subnet-allow-list=thux.lan

> Can you set trace=yes in the recursor config and restart? Then do a dig
> that fails and check the recursors' log. It will hint as to what is
> happening.


Here is the filing dig:


   https://pastebin.com/NeUNyWfF

   # dig dns1b.thux.lan @10.2.201.135

   ; <<>> DiG 9.16.1-Ubuntu <<>> dns1b.thux.lan @10.2.201.135
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15471
   ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags:; udp: 512
   ;; QUESTION SECTION:
   ;dns1b.thux.lan.			IN	A

   ;; Query time: 172 msec
   ;; SERVER: 10.2.201.135#53(10.2.201.135)
   ;; WHEN: Thu Oct 21 15:12:40 UTC 2021
   ;; MSG SIZE  rcvd: 43


and here the request made by coredns when I use nslookup from within the container:

   https://pastebin.com/DsNH1akb


I'm a bit overwhelmed by the quantity of logs...

At almost the beginning I read::

   recursor_1    | Oct 21 15:12:40 [1] dns1b.thux.lan: Resolved 'thux.lan' NS (empty) to: 212.31.253.25
   recursor_1    | Oct 21 15:12:40 [1] dns1b.thux.lan: Trying IP 212.31.253.25:53, asking 'dns1b.thux.lan|A'
   recursor_1    | Oct 21 15:12:40 [1] dns1b.thux.lan: Adding EDNS Client Subnet Mask 127.0.0.1/32 to query
   recursor_1    | Oct 21 15:12:40 [1] dns1b.thux.lan: Got 2 answers from (empty) (212.31.253.25), rcode=0 (No Error), aa=1, in 7ms
   recursor_1    | Oct 21 15:12:40 [1] dns1b.thux.lan: accept answer 'dns1b.thux.lan|A|10.2.201.135' from 'thux.lan' nameservers? ttl=10800, place=1 YES! - This answer was received from a server we forward to.

I'd this the last line is good...
then it continues as::

   recursor_1    | Oct 21 15:12:40 [1] dns1b.thux.lan: OPT answer '.' from 'thux.lan' nameservers
   recursor_1    | Oct 21 15:12:40 [1] : no or invalid signature/proof for dns1b.thux.lan, we likely missed a cut between . and dns1b.thux.lan, looking for it
   recursor_1    | Oct 21 15:12:40 [1] : - Looking for a DS at lan
   recursor_1    | Oct 21 15:12:40 [1] : no TA found for 'lan' among 1
   recursor_1    | Oct 21 15:12:40 [1] : no TA found for 'lan' among 1
   recursor_1    | Oct 21 15:12:40 [1] : got TA for '.'

Does this give any hints?


sandro
*:-)

More information about the Pdns-users mailing list