On 2015-02-04 14:00, James Cornman wrote:
[james@eng:~] % dig @10.250.50.237 [2] 100.94.145.204.in-addr.arpa
ptr
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @10.250.50.237
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;100.94.145.204.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
100.94.145.204.in-addr.arpa. 3600 IN NS
ns17.bitronictech.net.
It indeed returns with the authoritative answer, but I believe my
expectation was that since recursion is desired, and there is a
pdns-recursor available, that it would do the deed. Mainly that dig or
nslookup off of the pdns-authoritative server, with recursion enabled,
would end up with an actual PTR answer. You mention that BIND just
happens
to do both at the same time..is that something that PDNS can't do, or
something I'm doing wrong, or in general a false perception of what is
right?
For recursion to become available on the authoritative Server (i.e.
pdns-server) the config variables
https://doc.powerdns.com/md/authoritative/settings/#recursor
and
https://doc.powerdns.com/md/authoritative/settings/#allow-recursion
will have to be set accordingly.
However it is discouraged to do recursion with the auth Server because
it leads to exactly the kind of confusion you ran into.
Also http://cr.yp.to/djbdns/separation.html lists some good reasons for
keeping those two services separated from each other.
BIND9 also changed its default behaviour in that regard. (
https://kb.isc.org/article/AA-00269/0/What-has-changed-in-the-behavior-of-allow-recursion-and-allow-query-cache.html
)
Here you ask with the "rd" aka recursion desired flag and it appears
that
your BIND Server is indeed configured to recurse for you and go ask
ns17.bitronictech.net about the PTR for 100.94.145.204.in-addr.arpa.
This
is now recursive DNS works, however it is not how authoritative DNS
works.
BIND just happens to do both at the same time.
Querying the pdns-recursor directly does return the proper result,
however
ARIN isn't set to point to this pool of pdns servers and thus this
recursion is likely interacting with BIND which is still authoritative
for
the reverse in-addr.arpa zone....none of which helps my troubleshooting
Correct, if the ARIN nameservers are still pointing to the IPs of your
BIND9 setup then there is no easy way to test if your new setup works
with recursive nameservers.
As i said already you could tell your recursive Server to ask the IP of
your PowerDNS auth setup directly, thus bypassing the ARIN delegation.
In PowerDNS recursor you could do that with the
https://doc.powerdns.com/md/recursor/settings/#forward-zones-recurse
option.
For example put
forward-zones-recurse=94.145.204.in-addr.arpa=10.250.50.237
in your recursor.conf.
Stefan
_______________________________________________
Pdns-users mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
