Hi Michael, Please keep replies on the mailinglist (mails reproduced below).
Judging by your log and some of my testing, I think you uncovered a bug in the DNSSEC implementation. Could you try this with `dnssec=off` in the recursor.conf? Best regards, Pieter On Wed, 9 Mar 2016 07:46:49 +0100 Bit World Computing - Michael Mertel <[email protected]> wrote: > Hello Pieter, > > thanks for helping me out on this. > > > Am 08.03.2016 um 18:57 schrieb Pieter Lexis <[email protected]>: > > > > Hello Michael, > > > > On Tue, 8 Mar 2016 16:32:26 +0100 > > Bit World Computing - Michael Mertel <[email protected]> wrote: > > > >> I was wondering why an apt-get update cannot resolve repo.powerdns.com, > >> but a ping is able to do so. This only happens if /etc/resolv.conf points > >> to my recursor. If I use 8.8.8.8 as nameserver everything works as > >> expected. > >> > >> This is somewhat strange, because 8.8.8.8 is the forwarding dns for my > >> local recursor. > > > > Do you use the `forward-zones-recurse`[1] or the `forward-zones`[2] option? > > When forwarding to google (8.8.8.8), the `forward-zone-recurse` option is > > needed (i.e. `forward-zones-recurse=.=8.8.8.8` in your recursor.conf). This > > will set the Recursion Desired-bit on the query sent out. Google sends > > SERVFAIL to clients without the RD-bit set. > > > I currently use this forward statements in my recursor.conf: > > forward-zones-file=/etc/powerdns/forward-zones > forward-zones-recurse=.=8.8.8.8 > > The forward-zones file points to some internal nameservers, all 8.8.8.8 > related is done through forward-zones-recurse. > > > > If this is the case and you still have these issues, could you enable the > > `trace`[3] option and query your local resolver for repo.powerdns.com and > > email the traces? > > > I attached the trace log, hope it includes everything you need. I tried to > kept the noise as low as possible, but some other systems queried the > recursor as well. > > >> Maybe it’s how the apt-get tries to resolve the name? The only thing I > >> found was, that getent is not returning the correct results. > > > > apt, ping and getent all seem to use the getaddrinfo(3) call. > > > I was 100% sure that a ping worked, but it do not work now, repo.powerdns.com > is not resolving anywhere. repo1.powerdns.com is a different story: > > root@dns-1:/var/log# ping repo.powerdns.com > ping: unknown host repo.powerdns.com > root@dns-1:/var/log# getent hosts repo1.poerdns.com > root@dns-1:/var/log# ping repo1.powerdns.com > PING repo1.powerdns.com (188.166.116.224) 56(84) bytes of data. > 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=1 ttl=58 > time=42.9 ms > 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=2 ttl=58 > time=42.9 ms On Wed, 9 Mar 2016 08:28:05 +0100 Bit World Computing - Michael Mertel <[email protected]> wrote: > Hi Pieter, > > sorry I overlooked a typo. > > root@dns-1:/var/log# getent hosts repo.powerdns.com > 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com repo.powerdns.com > root@dns-1:/var/log# getent hosts repo1.powerdns.com > 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com > > Does this mean my recursor is preferring ipv6 over ipv4. I don’t use ipv6 at > all. > > -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
