Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
On Thu, Dec 12, 2013 at 06:17:50PM -0600, Drew Decker wrote: Does anyone else know of a way to do this, or could give me some recommendations on how we could do this in or current configuration? We just need to be able to create a delegation in PowerDNS to use a different Nameserver on the actual isilon. We are basically delegating to the Isilon for a specific subdomain. Thanks! Hi again Drew, I thought that you said that you shared the domain with the Isilon? But above you say that it is its own domain. Which is it? I thought that the Isilon required its own domain to work. Regards, Ken On Wed, Dec 4, 2013 at 2:06 PM, k...@rice.edu k...@rice.edu wrote: On Wed, Dec 04, 2013 at 02:03:57PM -0600, Drew Decker wrote: Ken, Yea - I don't think this will work for us. Our domain is shared with the Isilon, so it would be lab.domain.com, and I don't want to forward the entire zone over to the Isilon. thanks! Yes, we put our Isilon in its own (sub)domain for exactly that reason. It made this easy. You could roll-your-own with lua in the recursor if a separate domain is not possible. Regards, Ken -- Best Regards, Drew Decker ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
No it's shared - so to speak. It's part of the lab.example.com domain. That's the common domain. I'm trying to delegate labisilon.lab.example.com to the isilon smartconnect feature. Sent from my iPhone On Dec 13, 2013, at 7:48 AM, k...@rice.edu k...@rice.edu wrote: On Thu, Dec 12, 2013 at 06:17:50PM -0600, Drew Decker wrote: Does anyone else know of a way to do this, or could give me some recommendations on how we could do this in or current configuration? We just need to be able to create a delegation in PowerDNS to use a different Nameserver on the actual isilon. We are basically delegating to the Isilon for a specific subdomain. Thanks! Hi again Drew, I thought that you said that you shared the domain with the Isilon? But above you say that it is its own domain. Which is it? I thought that the Isilon required its own domain to work. Regards, Ken On Wed, Dec 4, 2013 at 2:06 PM, k...@rice.edu k...@rice.edu wrote: On Wed, Dec 04, 2013 at 02:03:57PM -0600, Drew Decker wrote: Ken, Yea - I don't think this will work for us. Our domain is shared with the Isilon, so it would be lab.domain.com, and I don't want to forward the entire zone over to the Isilon. thanks! Yes, we put our Isilon in its own (sub)domain for exactly that reason. It made this easy. You could roll-your-own with lua in the recursor if a separate domain is not possible. Regards, Ken -- Best Regards, Drew Decker ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
So there is no A record for labisilon.lab.example.com in the pdns01 name server? (What's the dig output when you request the A record for the delegated domain?) Michael, You are correct - my typo - it is labisilon (not simply isilon). When I do “dig @pdns01 NS labisilon.lab.example.com I get the following: $ dig @psl-pdns01 ns pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @psl-pdns01 ns pslisilon.lab.securustech.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 53684 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.example.com. IN NS ;; AUTHORITY SECTION: labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com. ;; ADDITIONAL SECTION: lab-isilon.lab.example.com. 900 IN A x.x.x.x ;; Query time: 59 msec I don’t believe the records are overlapping according to this output but please correct me if I’m wrong on this. -- Drew Decker Sent with Airmail http://airmailapp.com/tracking On December 13, 2013 at 12:35:02 AM, Michael Loftis (mlof...@wgops.com//mlof...@wgops.com) wrote: Is the delegated zone isilon or labisilon? I think you need to check the A, and NS records as you've mixed them up even in the email there. I would delegate a completely different sub domain than I would name the A record just to avoid such confusion, it sounds like you've got an NS and A records for the same name, which is why you're getting the static A record from powerdns. In your typed example you are using labisilon as the sub domain and lab-isilon as the A record and NS delegation... What does dig NS labisilon.lab.example.com @1.2.3.4 give you? (Replace 1.2.3.4 with the pdns auth server ip address) you should get back two records, one NS type pointing to lab-isilon and one A type giving the address to send UDP/TCP queries to. Sounds like that's where the problem is still. Your delegation shouldn't have any overlapping A records labisilon should be just an NS which points to lab-isilon, otherwise you get the behavior you described. Which is a broken delegation. On Dec 12, 2013 9:54 PM, Drew Decker drewrocksh...@gmail.com wrote: Michael, I think you only read a few posts on this thread, so I’ll give you some details of what had/has been done up to this point, as I read your entire email and from what you are saying, I’ve already done (which is why I’m reaching out to the community) - correct me if I’m wrong. I have a single zone: *lab.example.com http://lab.example.com* The isilon needs a delegated zone for it to use, so we simply chose *isilon.lab.example.com http://isilon.lab.example.com* From a PowerDNS perspective, *lab.example.com http://lab.example.com*lives on a single server *pdns01* and the database server runs on its own dedicated hardware *pdnsdb01*. A single zone was created - *lab.example.com http://lab.example.com* We added the following DNS records to PowerDNS (in the *lab.example.com http://lab.example.com* zone): labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com.lab-isilon.lab.example.com. 900 IN A x.x.x.x Once we added this, it still does not work; when we ping labisilon.lab.example.com, it returns the IP from lab-isilon.lab.example.com, which would be as expected, but since the “x.x.x.x” IP is a SmartConnect IP on the Isilon, it actually takes that IP gives a random IP (depends on how the Isilon is configured) back to the client. So, in our case, we basically round-robin it, so each new request to the isilon should give us a new IP, until we get to the end, and then we start over. I just need to know if I’m missing something here, and if not, maybe it is an issue with the Isilon, in this case. I just want to make sure that I’m setting up DNS delegation correctly in PowerDNS, or if I’m missing something PowerDNS specific. Thanks for your continued input. -- Drew Decker On December 12, 2013 at 9:32:33 PM, Michael Loftis (mlof...@wgops.com//mlof...@wgops.com) wrote: The most common and obvious example of glue is when you have a TLD such as GOV, COM, or EDU delegate your domain, your NS records usually exist within your domain so glue must exist higher up, exact same principal applies at every level where a delegation occurs. Say isil.lab.example.com is served by the isilon. This is the delegated subdomain. lab.example.com is served by other nameservers. The A record you're using could be ns1.isil.lab.example.com, and so must exist in both the isil.lab.example.com domain, AND the lab.example.com domain, in two seperate nameservers. You must have on BOTH the lab.example.com and the isil.lab.example.com domains and nameservers A records for out of zone nameservers in subdomains are called glue. Nothing magical. Everyone has some in COM, GOV, EDU, ORG, etc. If you take a look at google.com, you'll see ns1 through ns4.google.com -- those four A records exist in the COM zone
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Sorry - replace “pslisilon.lab.securustech.net” with “pslisilon.lab.domain.com” (trying to keep things simple) -- Drew Decker Sent with Airmail On December 13, 2013 at 10:23:02 AM, Drew Decker (drewrocksh...@gmail.com) wrote: pslisilon.lab.securustech.net___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Same output - dig @psl-pdns01 A pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com. ;; ADDITIONAL SECTION: lab-isilon.lab.domain.com. 900 IN A x.x.x.x ;; Query time: 2 msec Do I need to specifically add an “A” record of labisilon.lab.domain.com - x.x.x.x? -- Drew Decker Sent with Airmail On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com) wrote: labisilon.lab.example.com___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] MyDNS-Bind Migration and DNSSEC
Hello Everyone, I am in the middle of migration testing for 330K Domains and 1.8 Million records from a MyDNS with a Bind Mysql backend to PowerDNS with PDNSSEC with gmysql backend, We have had no issue migrating zones and records after creating the scripts. Our issue lies in serving the zones. I am finding unless I run pdnssec rectify-zone xyz.com I will see this in monitor and no answer will be provided Dec 13 09:58:35 Should not get here (xyz.com|1): please run pdnssec rectify-zone Upon running rectify-zone all behaves properly. I thought I could run Normal and Secured zones on one server? We are inserting NULL in ordername and auth could this be the cause? Eric Haskins *High Octane Brands LLC* PHP/MySQL Developers ~ E-Commerce Specialists Magento, OpenCart, WorpPress Optimized Hosting HighOctaneBrands.com 978-905-9603 Cell ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] MyDNS-Bind Migration and DNSSEC
Hello Eric, On Dec 13, 2013, at 17:42 , Eric Haskins wrote: I am in the middle of migration testing for 330K Domains and 1.8 Million records from a MyDNS with a Bind Mysql backend to PowerDNS with PDNSSEC with gmysql backend, We have had no issue migrating zones and records after creating the scripts. Our issue lies in serving the zones. I am finding unless I run pdnssec rectify-zone xyz.com I will see this in monitor and no answer will be provided Dec 13 09:58:35 Should not get here (xyz.com|1): please run pdnssec rectify-zone Upon running rectify-zone all behaves properly. I thought I could run Normal and Secured zones on one server? We are inserting NULL in ordername and auth could this be the cause? You have a few options: 1) remove gmysql-dnssec from your configuration. This will fully disable DNSSEC, and also disable all features that use the domainmetadata table. It will also make PowerDNS ignore ordername and auth and this error will go away. 2) keep gmysql-dnssec, and fake up ordername and auth. For non-DNSSEC domains, put 1 in auth. ordername is ignored so NULL is a good value for it. If you do want to support DNSSEC for (some) domains, please read http://doc.powerdns.com/html/dnssec-modes.html#dnssec-direct-database very carefully and/or use rectify-zone after zone data changes. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ signature.asc Description: Message signed with OpenPGP using GPGMail ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] MyDNS-Bind Migration and DNSSEC
Peter, Thank You we did manage to get it to work via auth = 1. I have one other question in regards to the DS and DNSKEY records from a registry perspective ICANN requires registrars to provide a mechanism allowing a domain owner to secure a zone. The registrar has to submit the DS and DNSKEY values to the registrar via API is there a way to get these records since it appears PowerDNS is building on the fly when requested?? This and Rollover are our last hurdles Thx again Peter Eric Haskins *High Octane Brands LLC* PHP/MySQL Developers ~ E-Commerce Specialists Magento, OpenCart, WorpPress Optimized Hosting HighOctaneBrands.com 978-905-9603 Cell On Fri, Dec 13, 2013 at 12:11 PM, Peter van Dijk peter.van.d...@netherlabs.nl wrote: Hello Eric, On Dec 13, 2013, at 17:42 , Eric Haskins wrote: I am in the middle of migration testing for 330K Domains and 1.8 Million records from a MyDNS with a Bind Mysql backend to PowerDNS with PDNSSEC with gmysql backend, We have had no issue migrating zones and records after creating the scripts. Our issue lies in serving the zones. I am finding unless I run pdnssec rectify-zone xyz.com I will see this in monitor and no answer will be provided Dec 13 09:58:35 Should not get here (xyz.com|1): please run pdnssec rectify-zone Upon running rectify-zone all behaves properly. I thought I could run Normal and Secured zones on one server? We are inserting NULL in ordername and auth could this be the cause? You have a few options: 1) remove gmysql-dnssec from your configuration. This will fully disable DNSSEC, and also disable all features that use the domainmetadata table. It will also make PowerDNS ignore ordername and auth and this error will go away. 2) keep gmysql-dnssec, and fake up ordername and auth. For non-DNSSEC domains, put 1 in auth. ordername is ignored so NULL is a good value for it. If you do want to support DNSSEC for (some) domains, please read http://doc.powerdns.com/html/dnssec-modes.html#dnssec-direct-databasevery carefully and/or use rectify-zone after zone data changes. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
No you definitely do not want to add an A record for labisilon.lab.domain.com to the powerdns server, that would cause it to always serve the A record. From the response information I take it the powerdns server isn't your recursive resolver (IE it's not whats in the /etc/resolv.conf or equivalent for your platform) - but from the output you've shown me the first half of the delegation is fine. The second half of the delegation must also exist or BIND in particular won't count it as valid (though the validation is lazy so you'll sometimes get an answer, but most of the time not) -- and hte second half is the matching NS record on the isilon, and the SOA (though the SOA is less important) -- you'll want to do the same dig @x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A labisilon.lab.domain.com - this is all part of diagnosing what actually *is* happening with this delegation. If the NS records aren't being returned from the isilon or the A or SOA isn't I can't really help you out there if those aren't there as I've never used the smartconnect product though there's a small chance I can get some information since we used their storage boxes at my present day job years back before I started (We literally have a couple racks worth of them sitting around after being decommissioned). ... reading a bit in...is securustech.net the actual domain? It has wild cards which would be causing all manner of hell for you, if the A record you're getting back is the same as I'm seeing from the outside - 69.43.161.163 - then that would explain your problems. Your recursive resolver is getting the wildcard answers from your outside nameservers. On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker drewrocksh...@gmail.com wrote: Same output - dig @psl-pdns01 A pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com. ;; ADDITIONAL SECTION: lab-isilon.lab.domain.com. 900 IN A x.x.x.x ;; Query time: 2 msec Do I need to specifically add an “A” record of labisilon.lab.domain.com - x.x.x.x? -- Drew Decker Sent with Airmail On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com) wrote: labisilon.lab.example.com -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Michael, the PowerDNS server IS the main recursor resolver and the IP of the PowerDNS server is actually in /etc/resolv.conf for all of the platform servers. We no longer have any BIND servers in our infrastructure. Here are the dig outputs: $ dig @pdns01 NS labisilon.lab.domain.com ; DiG 9.8.3-P1 @pdns01 NS labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 9680 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN NS ;; AUTHORITY SECTION: lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com. 2013073047 86400 7200 604800 3600 ;; Query time: 1 msec [~] ddecker$ dig @pdns01 A labisilon.lab.domain.com ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 1337 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com. 2013073047 86400 7200 604800 3600 ;; Query time: 0 msec -- Drew Decker Sent with Airmail On December 13, 2013 at 12:08:35 PM, Michael Loftis (mlof...@wgops.com) wrote: No you definitely do not want to add an A record for labisilon.lab.domain.com to the powerdns server, that would cause it to always serve the A record. From the response information I take it the powerdns server isn't your recursive resolver (IE it's not whats in the /etc/resolv.conf or equivalent for your platform) - but from the output you've shown me the first half of the delegation is fine. The second half of the delegation must also exist or BIND in particular won't count it as valid (though the validation is lazy so you'll sometimes get an answer, but most of the time not) -- and hte second half is the matching NS record on the isilon, and the SOA (though the SOA is less important) -- you'll want to do the same dig @x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A labisilon.lab.domain.com - this is all part of diagnosing what actually *is* happening with this delegation. If the NS records aren't being returned from the isilon or the A or SOA isn't I can't really help you out there if those aren't there as I've never used the smartconnect product though there's a small chance I can get some information since we used their storage boxes at my present day job years back before I started (We literally have a couple racks worth of them sitting around after being decommissioned). ... reading a bit in...is securustech.net the actual domain? It has wild cards which would be causing all manner of hell for you, if the A record you're getting back is the same as I'm seeing from the outside - 69.43.161.163 - then that would explain your problems. Your recursive resolver is getting the wildcard answers from your outside nameservers. On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker drewrocksh...@gmail.com wrote: Same output - dig @psl-pdns01 A pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com. ;; ADDITIONAL SECTION: lab-isilon.lab.domain.com. 900 IN A x.x.x.x ;; Query time: 2 msec Do I need to specifically add an “A” record of labisilon.lab.domain.com - x.x.x.x? -- Drew Decker Sent with Airmail On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com) wrote: labisilon.lab.example.com -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Ah...You actually *may* have hit a bug. What version of powerdns and what backend? There's an issue on github, number 49, fixed in commit number 549 according to the bug where PDNS was behaving similar to this...if you dig for things *under* that subdomain eg test.labisilon.lab.domain.com you get the correct response (NS and A records w/ no AA bit indicating you must chase the delegation) -- but when querying for the delegated domain, it returns the SOA and an AA bit w/ NXDOMAIN indicating no such record. https://github.com/PowerDNS/pdns/issues/49 Might actually be that bug you're seeing! Sorry for the run around if so, I didn't even know the bug existed until now. This of course assumes correct records and all...which is why I had you run all those digs... On Fri, Dec 13, 2013 at 10:22 AM, Drew Decker drewrocksh...@gmail.com wrote: Michael, the PowerDNS server IS the main recursor resolver and the IP of the PowerDNS server is actually in /etc/resolv.conf for all of the platform servers. We no longer have any BIND servers in our infrastructure. Here are the dig outputs: $ dig @pdns01 NS labisilon.lab.domain.com ; DiG 9.8.3-P1 @pdns01 NS labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 9680 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN NS ;; AUTHORITY SECTION: lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com. 2013073047 86400 7200 604800 3600 ;; Query time: 1 msec [~] ddecker$ dig @pdns01 A labisilon.lab.domain.com ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 1337 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com. 2013073047 86400 7200 604800 3600 ;; Query time: 0 msec -- Drew Decker Sent with Airmail On December 13, 2013 at 12:08:35 PM, Michael Loftis (mlof...@wgops.com) wrote: No you definitely do not want to add an A record for labisilon.lab.domain.com to the powerdns server, that would cause it to always serve the A record. From the response information I take it the powerdns server isn't your recursive resolver (IE it's not whats in the /etc/resolv.conf or equivalent for your platform) - but from the output you've shown me the first half of the delegation is fine. The second half of the delegation must also exist or BIND in particular won't count it as valid (though the validation is lazy so you'll sometimes get an answer, but most of the time not) -- and hte second half is the matching NS record on the isilon, and the SOA (though the SOA is less important) -- you'll want to do the same dig @x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A labisilon.lab.domain.com - this is all part of diagnosing what actually *is* happening with this delegation. If the NS records aren't being returned from the isilon or the A or SOA isn't I can't really help you out there if those aren't there as I've never used the smartconnect product though there's a small chance I can get some information since we used their storage boxes at my present day job years back before I started (We literally have a couple racks worth of them sitting around after being decommissioned). ... reading a bit in...is securustech.net the actual domain? It has wild cards which would be causing all manner of hell for you, if the A record you're getting back is the same as I'm seeing from the outside - 69.43.161.163 - then that would explain your problems. Your recursive resolver is getting the wildcard answers from your outside nameservers. On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker drewrocksh...@gmail.com wrote: Same output - dig @psl-pdns01 A pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com. ;; ADDITIONAL SECTION: lab-isilon.lab.domain.com. 900 IN A x.x.x.x ;; Query time: 2 msec Do I need to specifically add an “A” record of labisilon.lab.domain.com - x.x.x.x? -- Drew Decker Sent with Airmail On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com) wrote: labisilon.lab.example.com -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler -- Genius might be described as a supreme capacity for getting its possessors into