[Pdns-users] pdns recursor forward zone to consul
prochazka at cortex.cz
prochazka at cortex.cz
Tue Aug 6 09:21:50 UTC 2024
No effect (anyway, default is yes), i even tried
qname-max-minimize-count=1, no success.
Recursor is 5.0.5 btw.
Thanks
Dne 2024-08-06 11:06, Frank @ kiwazo.be napsal:
> Could you try disabling qname-minimisation?
> https://doc.powerdns.com/recursor/settings.html#qname-minimization
>
> If that works, could you file a bug with the Consul folks?
>
> Frank
>
>> On 6 Aug 2024, at 10:56, prochazka at cortex.cz wrote:
>>
>> Consul cluster is authoritative:
>>
>> # dig soa consul @localhost -p 8600
>> ; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> soa consul @localhost -p
>> 8600
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1715
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3,
>> ADDITIONAL: 4
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 1232
>> ;; QUESTION SECTION:
>> ;consul. IN SOA
>>
>> ;; ANSWER SECTION:
>> consul. 0 IN SOA ns.consul. hostmaster.consul. 1722932854 3600 600
>> 86400 0
>>
>> ;; AUTHORITY SECTION:
>> consul. 0 IN NS test-consul-02.service.dc1.consul.
>> consul. 0 IN NS test-consul-01.service.dc1.consul.
>> consul. 0 IN NS test-consul-03.service.dc1.consul.
>>
>> ;; ADDITIONAL SECTION:
>> test-consul-02.service.dc1.consul. 0 IN A 192.168.200.206
>> test-consul-01.service.dc1.consul. 0 IN A 192.168.200.205
>> test-consul-03.service.dc1.consul. 0 IN A 192.168.200.207
>>
>> Dnsmasq is default Debian12 configuration, only custom snippet:
>> server=/consul/192.168.200.205#8600
>>
>> Pdns recursor default Debian12 configuration, custom snippet:
>> # cat /etc/powerdns/recursor.d/recursor-local.conf
>>
>>
> allow-from=127.0.0.1,192.168.0.0/16,SUBNET1/22,SUBNET2/27,::1/128,SUBNET3/29,SUBNET4/24
>> local-address=::1,IPv6,127.0.0.1,IPv4
>> local-port=53
>> max-negative-ttl=300
>> query-local-address=0.0.0.0,::
>> serve-rfc1918=no
>>
>> forward-zones=
>> forward-zones+=sub1.domain.tld=IPs pdns auth
>> forward-zones+=sub2.domain.tld=IPs pdns auth
>> forward-zones+=168.192.in-addr.arpa=IPs pdns auth
>> forward-zones+=a.b.c.d.ip6.arpa=IPs pdns auth
>> forward-zones+=sub3.domain.tld=IPs pdns auth
>> forward-zones+=consul=192.168.200.205:8600
>>
>> When i change forward zone to the only consul as dnsmasq:
>> 10:31:32.584238 IP 192.168.200.201.49345 > 192.168.200.55: 47787+
>> [1au] A? master.testcluster.service.consul. (74)
>> 10:31:32.736315 IP 192.168.200.55.domain > 192.168.200.201.49345:
>> 47787 ServFail 0/0/1 (62)
>>
>> 10:31:32.584694 IP 192.168.200.55.30152 > 192.168.200.205.8600:
>> 59346 [1au] A? service.consul. (43)
>> 10:31:32.586480 IP 192.168.200.205.8600 > 192.168.200.55.30152:
>> 59346 NXDomain* 0/1/1 (93)
>> 10:31:32.603241 IP 192.168.200.55.29051 > 192.168.200.205.8600:
>> 13078 [1au] A? master.testcluster.service.consul. (62)
>> 10:31:32.606545 IP 192.168.200.205.8600 > 192.168.200.55.29051:
>> 13078* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
>> 192.168.200.202 (122)
>> 10:31:32.613117 IP 192.168.200.55.49421 > 192.168.200.205.8600:
>> 50188 [1au] DS? testcluster.service.consul. (55)
>> 10:31:32.615703 IP 192.168.200.205.8600 > 192.168.200.55.49421:
>> 50188* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
>> 192.168.200.202 (115)
>> 10:31:32.633388 IP 192.168.200.55.49375 > 192.168.200.205.8600:
>> 19606 [1au] DS? testcluster.service.consul. (55)
>> 10:31:32.635325 IP 192.168.200.205.8600 > 192.168.200.55.49375:
>> 19606* 2/0/1 CNAME test-patroni-01.sub1.domain.tld., A
>> 192.168.200.201 (115)
>> 10:31:32.641387 IP 192.168.200.55.56897 > 192.168.200.205.8600:
>> 28586 [1au] DS? testcluster.service.consul. (55)
>> 10:31:32.643305 IP 192.168.200.205.8600 > 192.168.200.55.56897:
>> 28586* 2/0/1 CNAME test-patroni-01.sub1.domain.tld., A
>> 192.168.200.201 (115)
>> 10:31:32.656262 IP 192.168.200.55.18550 > 192.168.200.205.8600:
>> 25986 [1au] DS? testcluster.service.consul. (55)
>> 10:31:32.658261 IP 192.168.200.205.8600 > 192.168.200.55.18550:
>> 25986* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
>> 192.168.200.202 (115)
>> 10:31:32.667227 IP 192.168.200.55.8608 > 192.168.200.205.8600: 16502
>> [1au] DS? testcluster.service.consul. (55)
>> 10:31:32.669022 IP 192.168.200.205.8600 > 192.168.200.55.8608:
>> 16502* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
>> 192.168.200.202 (115)
>> 10:31:32.686261 IP 192.168.200.55.30571 > 192.168.200.205.8600:
>> 52874 [1au] DS? testcluster.service.consul. (55)
>> 10:31:32.688356 IP 192.168.200.205.8600 > 192.168.200.55.30571:
>> 52874* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
>> 192.168.200.202 (115)
>> 10:31:32.712947 IP 192.168.200.55.2258 > 192.168.200.205.8600: 303
>> [1au] DS? testcluster.service.consul. (55)
>> 10:31:32.715829 IP 192.168.200.205.8600 > 192.168.200.55.2258: 303*
>> 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A 192.168.200.202
>> (115)
>> 10:31:32.726324 IP 192.168.200.55.13556 > 192.168.200.205.8600: 3022
>> [1au] DS? testcluster.service.consul. (55)
>> 10:31:32.728700 IP 192.168.200.205.8600 > 192.168.200.55.13556:
>> 3022* 2/0/1 CNAME test-patroni-01.sub1.domain.tld., A
>> 192.168.200.201 (115)
>>
>> Consul is set for domain "consul".
>> Patroni is set for namespace "service".
>> Patroni is set for scope "testcluster".
>>
>> Thats why I can't set forward zone for testdomain.service.consul,
>> because every patroni cluster (or every cluster service) has it own
>> scope value. Anyway, i set
>> forward-zone+=testdomain.service.consul=..., got NXDOMAIN result
>> this time.
>>
>> Dnsmasq/dig does only one query (tcpdump from consul server):
>> 10:54:04.293482 IP 192.168.200.201.35239 > 192.168.200.205.8600:
>> 40715+ [1au] A? master.testcluster.service.consul. (74)
>> 10:54:04.297128 IP 192.168.200.205.8600 > 192.168.200.201.35239:
>> 40715* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
>> 192.168.200.202 (122)
>>
>> BUT pdns doing multiple queries. That's main difference.
>>
>> Thanks.
>>
>> Dne 2024-08-06 10:06, Frank @ kiwazo.be napsal:
>> dnsmasq: forwarded master.testcluster.service.consul to
>> 192.168.200.205#8600
>> dnsmasq: reply master.testcluster.service.consul is <CNAME>
>> dnsmasq: reply test-patroni-02.sub.domain.tld is 192.168.200.202
>> ...
>> Failing query via pdns-recursor, pdns to consul:
>> 09:00:28.996364 IP 192.168.200.55.50085 > 192.168.200.205.8600:
>> 36627+% [1au] A? master.testcluster.service.consul. (62)
>> 09:00:29.007576 IP 192.168.200.205.8600 > 192.168.200.55.50085:
>> 36627* 2/0/1 CNAME test-patroni-02.intr.cortex.cz., A
>> 192.168.200.202 (122)
>> 09:00:29.021812 IP 192.168.200.55.33770 > 192.168.200.206.8600:
>> 35806+% [1au] DS? service.consul. (43)
>> 09:00:29.023654 IP 192.168.200.206.8600 > 192.168.200.55.33770:
>> 35806 NXDomain* 0/1/1 (93)
>> ...
>> 192.168.200.206 is telling pdns there is no "service.consul"
>> configured there. So either 206 is wrong, or 206 is not
>> Authoritative
>> for the service.consul domain, or 206 is misconfigured.
>> To rule out #2, could you set the forward-zones config to JUST the
>> domain 205/206/207 are responsible for? (could be it only answers to
>> testcluster.service.consul)?
>> Also, you have given us 0.005% of your config, yet you ask us to
>> figure out what's wrong? Please see
>>
> https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open
>> Frank
More information about the Pdns-users
mailing list