Sascha Holzleiter wrote: > Sebastien Luttringer schrieb: >> Sascha Holzleiter wrote: >> And for your example dig answer that... >> >> # dig @127.0.0.1 test.tdf-pmm.wan >> ; <<>> DiG 9.3.4 <<>> @127.0.0.1 test.tdf-pmm.wan >> ; (1 server found) >> ;; global options: printcmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33663 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;test.tdf-pmm.wan. IN A >> >> ;; AUTHORITY SECTION: >> . 3320 IN SOA a.root-servers.net. >> nstld.verisign-grs.com. 2008030401 1800 900 604800 86400 >> >> ;; Query time: 33 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Wed Mar 5 17:08:09 2008 >> ;; MSG SIZE rcvd: 109 >> >> > > This is strange. Powerdns usually never answers with an NXDOMAIN for > domains which it thinks > it is authorative for. > > Ok, to make it short, maybe there is a problem in your > Recursor<->Powerdns interaction, so here > is an setup which works: This really strange because this problem is the same if recursor is bind, so this cannot be a misconfiguration of pdns-recursor. No ? > > pdns-recursor bound to 127.0.0.1 > pdns bound to 212.227.60.43 For me pdns-recursor bound to 127.0.0.1:5353 and pdns to 127.0.0.1:53
> > For recursion to work you must specify the recursor in pdns.conf: > > recursor=127.0.0.1 recursor=127.0.0.1:5353 > > Then, if you hit the nameserver with the question for e.g. in this > example > test.root-login.org it will forward this request to the recursor as it > can't > resolve the record by itself. For this example i have > test.root-login.org as a CNAME to ns.seblu.net. > But there is still the problem, that my secondary NS isn't controlled > by me and also refuses to recurse > this entry, so i'll tell the recursor to forward the root-login.org > zone to my pdns server like this: > > forward-zones=root-login.org=212.227.60.43 for me forward-zones=tdf-pmm.wan=127.0.0.1 ok, this is a "solution". Thanks ! But this cut many advantage of pdns and is mysql backend. Because for each domain under authority of pdns a modification in recursor.conf is needed... This cannot be a solution. > > With this in place everything works as expected: > > > dig @212.227.60.43 test.root-login.org > > ; <<>> DiG 9.4.2 <<>> @212.227.60.43 test.root-login.org > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20401 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;test.root-login.org. IN A > > ;; ANSWER SECTION: > test.root-login.org. 86178 IN CNAME ns.seblu.net. > ns.seblu.net. 172578 IN A 88.191.33.22 > > ;; Query time: 3 msec > ;; SERVER: 212.227.60.43#53(212.227.60.43) > ;; WHEN: Wed Mar 5 23:25:33 2008 > ;; MSG SIZE rcvd: 79 > > What happens behind the scenes is this: > > * We ask PDNS for an A entry for test.root-login.org > * PDNS has no A record for this, only a CNAME, but that wasn't asked > for, so the original > query is forwarded to the recursor > * The recursor gets the question for the A entry of > test.root-login.org. I've told him to ask > any questions regarding this zone my PDNS server, so he asks it and > gets the CNAME > and as the recursor is allowed to recurse further it does this and > comes up with the A > record. Yes but this is a kind of "cheat code". > * The recursor gives everything back to PDNS which gives it to us and > makes us happy ;) No because other recursif DNS, like those of ISP or university, don't see this CNAME. > Hope this helps to get your setup right. There seems to be something > wrong there. > With these things you just have to make sure you don't build a > resolving circle > within the recursor<->PDNS interaction :) In fact no, but thanks for your help ! I think it's just a powerdns problem : if i run a bind on 10.0.2.15, i get this answer from dig # dig @10.0.2.15 test.tdf-pmm.net ; <<>> DiG 9.3.4 <<>> @10.0.2.15 test.tdf-pmm.net ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43996 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;test.tdf-pmm.net. IN A ;; ANSWER SECTION: test.tdf-pmm.net. 604800 IN CNAME ns.seblu.net. ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.net. . 518400 IN NS B.ROOT-SERVERS.net. . 518400 IN NS C.ROOT-SERVERS.net. . 518400 IN NS D.ROOT-SERVERS.net. . 518400 IN NS E.ROOT-SERVERS.net. . 518400 IN NS F.ROOT-SERVERS.net. . 518400 IN NS G.ROOT-SERVERS.net. . 518400 IN NS H.ROOT-SERVERS.net. . 518400 IN NS I.ROOT-SERVERS.net. . 518400 IN NS J.ROOT-SERVERS.net. . 518400 IN NS K.ROOT-SERVERS.net. . 518400 IN NS L.ROOT-SERVERS.net. . 518400 IN NS M.ROOT-SERVERS.net. ;; Query time: 34 msec ;; SERVER: 10.0.2.15#53(10.0.2.15) ;; WHEN: Mon Mar 10 12:18:41 2008 ;; MSG SIZE rcvd: 266 and on 127.0.0.1 a pdns server # dig @127.0.0.1 test.tdf-pmm.wan ; <<>> DiG 9.3.4 <<>> @127.0.0.1 test.tdf-pmm.wan ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41025 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;test.tdf-pmm.wan. IN A ;; AUTHORITY SECTION: . 10164 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2008030901 0 900 604800 86400 ;; Query time: 88 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Mar 10 12:18:30 2008 ;; MSG SIZE rcvd: 109 Bind when it's not a recursor answer to an A record by a CNAME record if exist (but don't recurse, of course) Pdns when it's not a recursor answer to an A record by a nxdomain and then the recursif dns assume this true... pdns :/ -- Sebastien "Seblu" Luttringer [EMAIL PROTECTED] Smartjog SA http://www.smartjog.com/ _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
