[Pdns-users] Authoritative PDNS gives back non-authoritative Answers for records

rob777 rogbru at gmail.com
Fri Nov 1 09:03:49 UTC 2024 

Hi

I'm in a testing phase of an internal powerdns setup which i will take into
production in a few weeks.


Setup:

- Primary Powerdns Authoritative 4.9 (hidden master, it is not used as a
resolver for clients)
- Secondary 1, Powerdns Recursor with Powerdns Authoritative (used as
resolver for clients)
- Secondary 2, Powerdns Recursor with Powerdns Authoritiative (used as
resolver for clients)
- The authoritatives are responsible for about 10 internal zones like
example1.mydomain.com, example2.mydomain.com - this are configured in
forward-zones file of the recursor
- The SOA of this zones is set to the FQDN of the primary Powerdns


Possible Problem:

- During tests we came aware that the internal zones (like
example1.mydomain.com) does not give back an Authoritative answers to
queries in a zone. So:

*************************************************************************
$ dig test.example1.mydomain.com @<ip-of-my secondary>
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu
...
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;test.example1.mydomain.com.       IN      A

;; ANSWER SECTION:
test.example1.mydomain.com. 400    IN      A       10.0.25.28
*************************************************************************


As you can see above "AUTHORITY: 0" is a none authoritative answer


Question:

With regards to resolving everything works - but i wonder why this happens.
Is this normal behavior for a setup with a resolver and using forward-zone
in PDNS? Do i have to care about this behavior to avoid running into
problems? I've already tried to set the SOA to the secondary instead of the
hidden master. But this does not change the authoritity value in a dig
query.

Not that this only happens for records in the internal zones. If i dig an
internal zone it gives back AUTHORITY: 1

***************************************************************
$ dig example1.mydomain.com @<my-secondary-ip>
..
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52050
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example1.mydomain.com.               IN      A

;; AUTHORITY SECTION:
example1.mydomain.com.        400     IN      SOA
my-primary.example1.mydomain.com. rz.mydomain.com. 2024103103 10800 3600
604800 3600
*******************************************************************

Compared to my old setup with BIND Servers (a Master and a slave which are
being used as clients for resolver)

***************************************************************
$ test.example1.mydomain.com @<ip of my current BIND Servers)
..
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.example1.mydomain.com.       IN      A

;; ANSWER SECTION:
test.example1.mydomain.com. 400    IN      A       10.0.25.28

;; AUTHORITY SECTION:
example1.mydomain.com  .        400     IN      NS
bind-primary.example1.mydomain.com.
example1.mydomain.com  .        400     IN      NS
bind-secondary.example1.mydomain.com .

;; ADDITIONAL SECTION:
bind-primary.example1.mydomain.com. 400 IN     A       10.0.40.10
bind-secondary.example1.mydomain.com. 400 IN     A       10.0.40.20

**********************************************





Thanks for any help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20241101/5d78d9f7/attachment.htm>

More information about the Pdns-users mailing list