Hi Alun, On 1/9/19 6:04 PM, Alun James wrote: > Just having come confusion with the pdns-recursor forward-zones-file > settings, which I will describe.. > > ... Set up description ... > > Externally, authoritative requests are working fine and dnsdist sends > correctly to localhost:5300 and the response has the “aa” flag. All good. > > Recursion is working fine from a whitelisted IP to external domains OK…
That is indeed what I expected from the description :). > However, I can no longer get a response from any zone on my Auth server, > as dnsdist see’s my IP as on the whitelist and keeps sending me to the > recursor rather than the auth and so I get a fail. To work around this, > my zones are also defined in the pdns-recursor config in the > forward-zone-file, which is included and correctly read on restart. > > Example from forward-zones-file: tibus.net=127.0.0.1:5300 Also correct. > I can now query this zone OK from a whitelisted IP and get a response, > however, I do not get “aa” flag, but instead “rd”. > > According to the documentation the zones listed in the forward-zone-file > will only have the recursion-desired bit set if they are prefixed with a > “+” (“Zones prefixed with a ‘+’ are forwarded with the recursion-desired > bit set”) I do not have this prefix, but yet the bit is set. Have I > confused this settings meaning, misconfigured or should I be getting an > “aa” flag? When the '+' is set in a forward-zones-file, the _outgoing_ query to the specified server has the RD-bit set. Is there a reason your internal clients *need* the AA-bit set in the response, or was this merely curiosity? As long as the clients are stub-resolvers, your set-up looks as though it should work. Cheers, Pieter -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
