[Pdns-users] pdns recursor forward zone to consul
prochazka at cortex.cz
prochazka at cortex.cz
Tue Aug 6 09:33:32 UTC 2024
Sorry, my reading fail.
I disabled qname-minimization, restarted, again servfail.
Thanks.
Dne 2024-08-06 11:21, Prochazka via Pdns-users napsal:
> No effect (anyway, default is yes), i even tried
> qname-max-minimize-count=1, no success.
>
> Recursor is 5.0.5 btw.
>
> Thanks
>
> Dne 2024-08-06 11:06, Frank @ kiwazo.be napsal:
>> Could you try disabling qname-minimisation?
>> https://doc.powerdns.com/recursor/settings.html#qname-minimization
>>
>> If that works, could you file a bug with the Consul folks?
>>
>> Frank
>>
>>> On 6 Aug 2024, at 10:56, prochazka at cortex.cz wrote:
>>>
>>> Consul cluster is authoritative:
>>>
>>> # dig soa consul @localhost -p 8600
>>> ; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> soa consul @localhost -p
>>> 8600
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1715
>>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3,
>>> ADDITIONAL: 4
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 1232
>>> ;; QUESTION SECTION:
>>> ;consul. IN SOA
>>>
>>> ;; ANSWER SECTION:
>>> consul. 0 IN SOA ns.consul. hostmaster.consul. 1722932854 3600 600
>>> 86400 0
>>>
>>> ;; AUTHORITY SECTION:
>>> consul. 0 IN NS test-consul-02.service.dc1.consul.
>>> consul. 0 IN NS test-consul-01.service.dc1.consul.
>>> consul. 0 IN NS test-consul-03.service.dc1.consul.
>>>
>>> ;; ADDITIONAL SECTION:
>>> test-consul-02.service.dc1.consul. 0 IN A 192.168.200.206
>>> test-consul-01.service.dc1.consul. 0 IN A 192.168.200.205
>>> test-consul-03.service.dc1.consul. 0 IN A 192.168.200.207
>>>
>>> Dnsmasq is default Debian12 configuration, only custom snippet:
>>> server=/consul/192.168.200.205#8600
>>>
>>> Pdns recursor default Debian12 configuration, custom snippet:
>>> # cat /etc/powerdns/recursor.d/recursor-local.conf
>>>
>>>
>> allow-from=127.0.0.1,192.168.0.0/16,SUBNET1/22,SUBNET2/27,::1/128,SUBNET3/29,SUBNET4/24
>>> local-address=::1,IPv6,127.0.0.1,IPv4
>>> local-port=53
>>> max-negative-ttl=300
>>> query-local-address=0.0.0.0,::
>>> serve-rfc1918=no
>>>
>>> forward-zones=
>>> forward-zones+=sub1.domain.tld=IPs pdns auth
>>> forward-zones+=sub2.domain.tld=IPs pdns auth
>>> forward-zones+=168.192.in-addr.arpa=IPs pdns auth
>>> forward-zones+=a.b.c.d.ip6.arpa=IPs pdns auth
>>> forward-zones+=sub3.domain.tld=IPs pdns auth
>>> forward-zones+=consul=192.168.200.205:8600
>>>
>>> When i change forward zone to the only consul as dnsmasq:
>>> 10:31:32.584238 IP 192.168.200.201.49345 > 192.168.200.55: 47787+
>>> [1au] A? master.testcluster.service.consul. (74)
>>> 10:31:32.736315 IP 192.168.200.55.domain > 192.168.200.201.49345:
>>> 47787 ServFail 0/0/1 (62)
>>>
>>> 10:31:32.584694 IP 192.168.200.55.30152 > 192.168.200.205.8600:
>>> 59346 [1au] A? service.consul. (43)
>>> 10:31:32.586480 IP 192.168.200.205.8600 > 192.168.200.55.30152:
>>> 59346 NXDomain* 0/1/1 (93)
>>> 10:31:32.603241 IP 192.168.200.55.29051 > 192.168.200.205.8600:
>>> 13078 [1au] A? master.testcluster.service.consul. (62)
>>> 10:31:32.606545 IP 192.168.200.205.8600 > 192.168.200.55.29051:
>>> 13078* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
>>> 192.168.200.202 (122)
>>> 10:31:32.613117 IP 192.168.200.55.49421 > 192.168.200.205.8600:
>>> 50188 [1au] DS? testcluster.service.consul. (55)
>>> 10:31:32.615703 IP 192.168.200.205.8600 > 192.168.200.55.49421:
>>> 50188* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
>>> 192.168.200.202 (115)
>>> 10:31:32.633388 IP 192.168.200.55.49375 > 192.168.200.205.8600:
>>> 19606 [1au] DS? testcluster.service.consul. (55)
>>> 10:31:32.635325 IP 192.168.200.205.8600 > 192.168.200.55.49375:
>>> 19606* 2/0/1 CNAME test-patroni-01.sub1.domain.tld., A
>>> 192.168.200.201 (115)
>>> 10:31:32.641387 IP 192.168.200.55.56897 > 192.168.200.205.8600:
>>> 28586 [1au] DS? testcluster.service.consul. (55)
>>> 10:31:32.643305 IP 192.168.200.205.8600 > 192.168.200.55.56897:
>>> 28586* 2/0/1 CNAME test-patroni-01.sub1.domain.tld., A
>>> 192.168.200.201 (115)
>>> 10:31:32.656262 IP 192.168.200.55.18550 > 192.168.200.205.8600:
>>> 25986 [1au] DS? testcluster.service.consul. (55)
>>> 10:31:32.658261 IP 192.168.200.205.8600 > 192.168.200.55.18550:
>>> 25986* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
>>> 192.168.200.202 (115)
>>> 10:31:32.667227 IP 192.168.200.55.8608 > 192.168.200.205.8600: 16502
>>> [1au] DS? testcluster.service.consul. (55)
>>> 10:31:32.669022 IP 192.168.200.205.8600 > 192.168.200.55.8608:
>>> 16502* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
>>> 192.168.200.202 (115)
>>> 10:31:32.686261 IP 192.168.200.55.30571 > 192.168.200.205.8600:
>>> 52874 [1au] DS? testcluster.service.consul. (55)
>>> 10:31:32.688356 IP 192.168.200.205.8600 > 192.168.200.55.30571:
>>> 52874* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
>>> 192.168.200.202 (115)
>>> 10:31:32.712947 IP 192.168.200.55.2258 > 192.168.200.205.8600: 303
>>> [1au] DS? testcluster.service.consul. (55)
>>> 10:31:32.715829 IP 192.168.200.205.8600 > 192.168.200.55.2258: 303*
>>> 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A 192.168.200.202
>>> (115)
>>> 10:31:32.726324 IP 192.168.200.55.13556 > 192.168.200.205.8600: 3022
>>> [1au] DS? testcluster.service.consul. (55)
>>> 10:31:32.728700 IP 192.168.200.205.8600 > 192.168.200.55.13556:
>>> 3022* 2/0/1 CNAME test-patroni-01.sub1.domain.tld., A
>>> 192.168.200.201 (115)
>>>
>>> Consul is set for domain "consul".
>>> Patroni is set for namespace "service".
>>> Patroni is set for scope "testcluster".
>>>
>>> Thats why I can't set forward zone for testdomain.service.consul,
>>> because every patroni cluster (or every cluster service) has it own
>>> scope value. Anyway, i set
>>> forward-zone+=testdomain.service.consul=..., got NXDOMAIN result
>>> this time.
>>>
>>> Dnsmasq/dig does only one query (tcpdump from consul server):
>>> 10:54:04.293482 IP 192.168.200.201.35239 > 192.168.200.205.8600:
>>> 40715+ [1au] A? master.testcluster.service.consul. (74)
>>> 10:54:04.297128 IP 192.168.200.205.8600 > 192.168.200.201.35239:
>>> 40715* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
>>> 192.168.200.202 (122)
>>>
>>> BUT pdns doing multiple queries. That's main difference.
>>>
>>> Thanks.
>>>
>>> Dne 2024-08-06 10:06, Frank @ kiwazo.be napsal:
>>> dnsmasq: forwarded master.testcluster.service.consul to
>>> 192.168.200.205#8600
>>> dnsmasq: reply master.testcluster.service.consul is <CNAME>
>>> dnsmasq: reply test-patroni-02.sub.domain.tld is 192.168.200.202
>>> ...
>>> Failing query via pdns-recursor, pdns to consul:
>>> 09:00:28.996364 IP 192.168.200.55.50085 > 192.168.200.205.8600:
>>> 36627+% [1au] A? master.testcluster.service.consul. (62)
>>> 09:00:29.007576 IP 192.168.200.205.8600 > 192.168.200.55.50085:
>>> 36627* 2/0/1 CNAME test-patroni-02.intr.cortex.cz., A
>>> 192.168.200.202 (122)
>>> 09:00:29.021812 IP 192.168.200.55.33770 > 192.168.200.206.8600:
>>> 35806+% [1au] DS? service.consul. (43)
>>> 09:00:29.023654 IP 192.168.200.206.8600 > 192.168.200.55.33770:
>>> 35806 NXDomain* 0/1/1 (93)
>>> ...
>>> 192.168.200.206 is telling pdns there is no "service.consul"
>>> configured there. So either 206 is wrong, or 206 is not
>>> Authoritative
>>> for the service.consul domain, or 206 is misconfigured.
>>> To rule out #2, could you set the forward-zones config to JUST the
>>> domain 205/206/207 are responsible for? (could be it only answers to
>>> testcluster.service.consul)?
>>> Also, you have given us 0.005% of your config, yet you ask us to
>>> figure out what's wrong? Please see
>>>
>> https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open
>>> Frank
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list