Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
The versions of PowerDNS that we are running are as follows (and I don’t think it matches the criteria that the bug indicates, but could be a new bug): PowerDNS Server: Version: 3.2, compiled on Jan 17 2013, 11:13:59 with gcc version 4.4.6 20120305 (Red Hat 4.4.6-4) PowerDNS Recursor: version: 3.5.2 -- Drew Decker On December 16, 2013 at 11:10:02 AM, Michael Loftis (mlof...@wgops.com) wrote: I can't replicate with 3.0.1 so I don't think its in any current code. Barring a regression of course. Idk what he is running but it is possible that its old and affected. Can't be sure since I can't investigate directly. On Dec 15, 2013 11:40 PM, Peter van Dijk peter.van.d...@netherlabs.nl wrote: Hello folks, I have not followed this thread (I saw it was full of helpful people already!), but I would just like to point out that that bug is actually 8 years old -- our github migration could not copy the timestamps reliably. The fix was in version 2.9.20, released March 2006. That said, if anybody does think a bug has been found in a recent PowerDNS, we're happy to look into it! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ On Dec 13, 2013, at 23:54 , Michael Loftis wrote: Ah...You actually *may* have hit a bug. What version of powerdns and what backend? There's an issue on github, number 49, fixed in commit number 549 according to the bug where PDNS was behaving similar to this...if you dig for things *under* that subdomain eg test.labisilon.lab.domain.com you get the correct response (NS and A records w/ no AA bit indicating you must chase the delegation) -- but when querying for the delegated domain, it returns the SOA and an AA bit w/ NXDOMAIN indicating no such record. https://github.com/PowerDNS/pdns/issues/49 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
I can't replicate with 3.0.1 so I don't think its in any current code. Barring a regression of course. Idk what he is running but it is possible that its old and affected. Can't be sure since I can't investigate directly. On Dec 15, 2013 11:40 PM, Peter van Dijk peter.van.d...@netherlabs.nl wrote: Hello folks, I have not followed this thread (I saw it was full of helpful people already!), but I would just like to point out that that bug is actually 8 years old -- our github migration could not copy the timestamps reliably. The fix was in version 2.9.20, released March 2006. That said, if anybody does think a bug has been found in a recent PowerDNS, we're happy to look into it! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ On Dec 13, 2013, at 23:54 , Michael Loftis wrote: Ah...You actually *may* have hit a bug. What version of powerdns and what backend? There's an issue on github, number 49, fixed in commit number 549 according to the bug where PDNS was behaving similar to this...if you dig for things *under* that subdomain eg test.labisilon.lab.domain.com you get the correct response (NS and A records w/ no AA bit indicating you must chase the delegation) -- but when querying for the delegated domain, it returns the SOA and an AA bit w/ NXDOMAIN indicating no such record. https://github.com/PowerDNS/pdns/issues/49 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Hello folks, I have not followed this thread (I saw it was full of helpful people already!), but I would just like to point out that that bug is actually 8 years old -- our github migration could not copy the timestamps reliably. The fix was in version 2.9.20, released March 2006. That said, if anybody does think a bug has been found in a recent PowerDNS, we're happy to look into it! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ On Dec 13, 2013, at 23:54 , Michael Loftis wrote: Ah...You actually *may* have hit a bug. What version of powerdns and what backend? There's an issue on github, number 49, fixed in commit number 549 according to the bug where PDNS was behaving similar to this...if you dig for things *under* that subdomain eg test.labisilon.lab.domain.com you get the correct response (NS and A records w/ no AA bit indicating you must chase the delegation) -- but when querying for the delegated domain, it returns the SOA and an AA bit w/ NXDOMAIN indicating no such record. https://github.com/PowerDNS/pdns/issues/49 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
On Thu, Dec 12, 2013 at 06:17:50PM -0600, Drew Decker wrote: Does anyone else know of a way to do this, or could give me some recommendations on how we could do this in or current configuration? We just need to be able to create a delegation in PowerDNS to use a different Nameserver on the actual isilon. We are basically delegating to the Isilon for a specific subdomain. Thanks! Hi again Drew, I thought that you said that you shared the domain with the Isilon? But above you say that it is its own domain. Which is it? I thought that the Isilon required its own domain to work. Regards, Ken On Wed, Dec 4, 2013 at 2:06 PM, k...@rice.edu k...@rice.edu wrote: On Wed, Dec 04, 2013 at 02:03:57PM -0600, Drew Decker wrote: Ken, Yea - I don't think this will work for us. Our domain is shared with the Isilon, so it would be lab.domain.com, and I don't want to forward the entire zone over to the Isilon. thanks! Yes, we put our Isilon in its own (sub)domain for exactly that reason. It made this easy. You could roll-your-own with lua in the recursor if a separate domain is not possible. Regards, Ken -- Best Regards, Drew Decker ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
No it's shared - so to speak. It's part of the lab.example.com domain. That's the common domain. I'm trying to delegate labisilon.lab.example.com to the isilon smartconnect feature. Sent from my iPhone On Dec 13, 2013, at 7:48 AM, k...@rice.edu k...@rice.edu wrote: On Thu, Dec 12, 2013 at 06:17:50PM -0600, Drew Decker wrote: Does anyone else know of a way to do this, or could give me some recommendations on how we could do this in or current configuration? We just need to be able to create a delegation in PowerDNS to use a different Nameserver on the actual isilon. We are basically delegating to the Isilon for a specific subdomain. Thanks! Hi again Drew, I thought that you said that you shared the domain with the Isilon? But above you say that it is its own domain. Which is it? I thought that the Isilon required its own domain to work. Regards, Ken On Wed, Dec 4, 2013 at 2:06 PM, k...@rice.edu k...@rice.edu wrote: On Wed, Dec 04, 2013 at 02:03:57PM -0600, Drew Decker wrote: Ken, Yea - I don't think this will work for us. Our domain is shared with the Isilon, so it would be lab.domain.com, and I don't want to forward the entire zone over to the Isilon. thanks! Yes, we put our Isilon in its own (sub)domain for exactly that reason. It made this easy. You could roll-your-own with lua in the recursor if a separate domain is not possible. Regards, Ken -- Best Regards, Drew Decker ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
So there is no A record for labisilon.lab.example.com in the pdns01 name server? (What's the dig output when you request the A record for the delegated domain?) Michael, You are correct - my typo - it is labisilon (not simply isilon). When I do “dig @pdns01 NS labisilon.lab.example.com I get the following: $ dig @psl-pdns01 ns pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @psl-pdns01 ns pslisilon.lab.securustech.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 53684 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.example.com. IN NS ;; AUTHORITY SECTION: labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com. ;; ADDITIONAL SECTION: lab-isilon.lab.example.com. 900 IN A x.x.x.x ;; Query time: 59 msec I don’t believe the records are overlapping according to this output but please correct me if I’m wrong on this. -- Drew Decker Sent with Airmail http://airmailapp.com/tracking On December 13, 2013 at 12:35:02 AM, Michael Loftis (mlof...@wgops.com//mlof...@wgops.com) wrote: Is the delegated zone isilon or labisilon? I think you need to check the A, and NS records as you've mixed them up even in the email there. I would delegate a completely different sub domain than I would name the A record just to avoid such confusion, it sounds like you've got an NS and A records for the same name, which is why you're getting the static A record from powerdns. In your typed example you are using labisilon as the sub domain and lab-isilon as the A record and NS delegation... What does dig NS labisilon.lab.example.com @1.2.3.4 give you? (Replace 1.2.3.4 with the pdns auth server ip address) you should get back two records, one NS type pointing to lab-isilon and one A type giving the address to send UDP/TCP queries to. Sounds like that's where the problem is still. Your delegation shouldn't have any overlapping A records labisilon should be just an NS which points to lab-isilon, otherwise you get the behavior you described. Which is a broken delegation. On Dec 12, 2013 9:54 PM, Drew Decker drewrocksh...@gmail.com wrote: Michael, I think you only read a few posts on this thread, so I’ll give you some details of what had/has been done up to this point, as I read your entire email and from what you are saying, I’ve already done (which is why I’m reaching out to the community) - correct me if I’m wrong. I have a single zone: *lab.example.com http://lab.example.com* The isilon needs a delegated zone for it to use, so we simply chose *isilon.lab.example.com http://isilon.lab.example.com* From a PowerDNS perspective, *lab.example.com http://lab.example.com*lives on a single server *pdns01* and the database server runs on its own dedicated hardware *pdnsdb01*. A single zone was created - *lab.example.com http://lab.example.com* We added the following DNS records to PowerDNS (in the *lab.example.com http://lab.example.com* zone): labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com.lab-isilon.lab.example.com. 900 IN A x.x.x.x Once we added this, it still does not work; when we ping labisilon.lab.example.com, it returns the IP from lab-isilon.lab.example.com, which would be as expected, but since the “x.x.x.x” IP is a SmartConnect IP on the Isilon, it actually takes that IP gives a random IP (depends on how the Isilon is configured) back to the client. So, in our case, we basically round-robin it, so each new request to the isilon should give us a new IP, until we get to the end, and then we start over. I just need to know if I’m missing something here, and if not, maybe it is an issue with the Isilon, in this case. I just want to make sure that I’m setting up DNS delegation correctly in PowerDNS, or if I’m missing something PowerDNS specific. Thanks for your continued input. -- Drew Decker On December 12, 2013 at 9:32:33 PM, Michael Loftis (mlof...@wgops.com//mlof...@wgops.com) wrote: The most common and obvious example of glue is when you have a TLD such as GOV, COM, or EDU delegate your domain, your NS records usually exist within your domain so glue must exist higher up, exact same principal applies at every level where a delegation occurs. Say isil.lab.example.com is served by the isilon. This is the delegated subdomain. lab.example.com is served by other nameservers. The A record you're using could be ns1.isil.lab.example.com, and so must exist in both the isil.lab.example.com domain, AND the lab.example.com domain, in two seperate nameservers. You must have on BOTH the lab.example.com and the isil.lab.example.com domains and nameservers A records for out of zone nameservers in subdomains are called glue. Nothing magical. Everyone has some in COM, GOV, EDU, ORG, etc. If you take a look at google.com, you'll see ns1 through ns4.google.com -- those four A records exist in the COM zone
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Sorry - replace “pslisilon.lab.securustech.net” with “pslisilon.lab.domain.com” (trying to keep things simple) -- Drew Decker Sent with Airmail On December 13, 2013 at 10:23:02 AM, Drew Decker (drewrocksh...@gmail.com) wrote: pslisilon.lab.securustech.net___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Same output - dig @psl-pdns01 A pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com. ;; ADDITIONAL SECTION: lab-isilon.lab.domain.com. 900 IN A x.x.x.x ;; Query time: 2 msec Do I need to specifically add an “A” record of labisilon.lab.domain.com - x.x.x.x? -- Drew Decker Sent with Airmail On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com) wrote: labisilon.lab.example.com___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
No you definitely do not want to add an A record for labisilon.lab.domain.com to the powerdns server, that would cause it to always serve the A record. From the response information I take it the powerdns server isn't your recursive resolver (IE it's not whats in the /etc/resolv.conf or equivalent for your platform) - but from the output you've shown me the first half of the delegation is fine. The second half of the delegation must also exist or BIND in particular won't count it as valid (though the validation is lazy so you'll sometimes get an answer, but most of the time not) -- and hte second half is the matching NS record on the isilon, and the SOA (though the SOA is less important) -- you'll want to do the same dig @x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A labisilon.lab.domain.com - this is all part of diagnosing what actually *is* happening with this delegation. If the NS records aren't being returned from the isilon or the A or SOA isn't I can't really help you out there if those aren't there as I've never used the smartconnect product though there's a small chance I can get some information since we used their storage boxes at my present day job years back before I started (We literally have a couple racks worth of them sitting around after being decommissioned). ... reading a bit in...is securustech.net the actual domain? It has wild cards which would be causing all manner of hell for you, if the A record you're getting back is the same as I'm seeing from the outside - 69.43.161.163 - then that would explain your problems. Your recursive resolver is getting the wildcard answers from your outside nameservers. On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker drewrocksh...@gmail.com wrote: Same output - dig @psl-pdns01 A pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com. ;; ADDITIONAL SECTION: lab-isilon.lab.domain.com. 900 IN A x.x.x.x ;; Query time: 2 msec Do I need to specifically add an “A” record of labisilon.lab.domain.com - x.x.x.x? -- Drew Decker Sent with Airmail On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com) wrote: labisilon.lab.example.com -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Michael, the PowerDNS server IS the main recursor resolver and the IP of the PowerDNS server is actually in /etc/resolv.conf for all of the platform servers. We no longer have any BIND servers in our infrastructure. Here are the dig outputs: $ dig @pdns01 NS labisilon.lab.domain.com ; DiG 9.8.3-P1 @pdns01 NS labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 9680 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN NS ;; AUTHORITY SECTION: lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com. 2013073047 86400 7200 604800 3600 ;; Query time: 1 msec [~] ddecker$ dig @pdns01 A labisilon.lab.domain.com ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 1337 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com. 2013073047 86400 7200 604800 3600 ;; Query time: 0 msec -- Drew Decker Sent with Airmail On December 13, 2013 at 12:08:35 PM, Michael Loftis (mlof...@wgops.com) wrote: No you definitely do not want to add an A record for labisilon.lab.domain.com to the powerdns server, that would cause it to always serve the A record. From the response information I take it the powerdns server isn't your recursive resolver (IE it's not whats in the /etc/resolv.conf or equivalent for your platform) - but from the output you've shown me the first half of the delegation is fine. The second half of the delegation must also exist or BIND in particular won't count it as valid (though the validation is lazy so you'll sometimes get an answer, but most of the time not) -- and hte second half is the matching NS record on the isilon, and the SOA (though the SOA is less important) -- you'll want to do the same dig @x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A labisilon.lab.domain.com - this is all part of diagnosing what actually *is* happening with this delegation. If the NS records aren't being returned from the isilon or the A or SOA isn't I can't really help you out there if those aren't there as I've never used the smartconnect product though there's a small chance I can get some information since we used their storage boxes at my present day job years back before I started (We literally have a couple racks worth of them sitting around after being decommissioned). ... reading a bit in...is securustech.net the actual domain? It has wild cards which would be causing all manner of hell for you, if the A record you're getting back is the same as I'm seeing from the outside - 69.43.161.163 - then that would explain your problems. Your recursive resolver is getting the wildcard answers from your outside nameservers. On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker drewrocksh...@gmail.com wrote: Same output - dig @psl-pdns01 A pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com. ;; ADDITIONAL SECTION: lab-isilon.lab.domain.com. 900 IN A x.x.x.x ;; Query time: 2 msec Do I need to specifically add an “A” record of labisilon.lab.domain.com - x.x.x.x? -- Drew Decker Sent with Airmail On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com) wrote: labisilon.lab.example.com -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Ah...You actually *may* have hit a bug. What version of powerdns and what backend? There's an issue on github, number 49, fixed in commit number 549 according to the bug where PDNS was behaving similar to this...if you dig for things *under* that subdomain eg test.labisilon.lab.domain.com you get the correct response (NS and A records w/ no AA bit indicating you must chase the delegation) -- but when querying for the delegated domain, it returns the SOA and an AA bit w/ NXDOMAIN indicating no such record. https://github.com/PowerDNS/pdns/issues/49 Might actually be that bug you're seeing! Sorry for the run around if so, I didn't even know the bug existed until now. This of course assumes correct records and all...which is why I had you run all those digs... On Fri, Dec 13, 2013 at 10:22 AM, Drew Decker drewrocksh...@gmail.com wrote: Michael, the PowerDNS server IS the main recursor resolver and the IP of the PowerDNS server is actually in /etc/resolv.conf for all of the platform servers. We no longer have any BIND servers in our infrastructure. Here are the dig outputs: $ dig @pdns01 NS labisilon.lab.domain.com ; DiG 9.8.3-P1 @pdns01 NS labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 9680 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN NS ;; AUTHORITY SECTION: lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com. 2013073047 86400 7200 604800 3600 ;; Query time: 1 msec [~] ddecker$ dig @pdns01 A labisilon.lab.domain.com ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 1337 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com. 2013073047 86400 7200 604800 3600 ;; Query time: 0 msec -- Drew Decker Sent with Airmail On December 13, 2013 at 12:08:35 PM, Michael Loftis (mlof...@wgops.com) wrote: No you definitely do not want to add an A record for labisilon.lab.domain.com to the powerdns server, that would cause it to always serve the A record. From the response information I take it the powerdns server isn't your recursive resolver (IE it's not whats in the /etc/resolv.conf or equivalent for your platform) - but from the output you've shown me the first half of the delegation is fine. The second half of the delegation must also exist or BIND in particular won't count it as valid (though the validation is lazy so you'll sometimes get an answer, but most of the time not) -- and hte second half is the matching NS record on the isilon, and the SOA (though the SOA is less important) -- you'll want to do the same dig @x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A labisilon.lab.domain.com - this is all part of diagnosing what actually *is* happening with this delegation. If the NS records aren't being returned from the isilon or the A or SOA isn't I can't really help you out there if those aren't there as I've never used the smartconnect product though there's a small chance I can get some information since we used their storage boxes at my present day job years back before I started (We literally have a couple racks worth of them sitting around after being decommissioned). ... reading a bit in...is securustech.net the actual domain? It has wild cards which would be causing all manner of hell for you, if the A record you're getting back is the same as I'm seeing from the outside - 69.43.161.163 - then that would explain your problems. Your recursive resolver is getting the wildcard answers from your outside nameservers. On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker drewrocksh...@gmail.com wrote: Same output - dig @psl-pdns01 A pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com. ;; ADDITIONAL SECTION: lab-isilon.lab.domain.com. 900 IN A x.x.x.x ;; Query time: 2 msec Do I need to specifically add an “A” record of labisilon.lab.domain.com - x.x.x.x? -- Drew Decker Sent with Airmail On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com) wrote: labisilon.lab.example.com -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler -- Genius might be described as a supreme capacity for getting its possessors into
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Does anyone else know of a way to do this, or could give me some recommendations on how we could do this in or current configuration? We just need to be able to create a delegation in PowerDNS to use a different Nameserver on the actual isilon. We are basically delegating to the Isilon for a specific subdomain. Thanks! On Wed, Dec 4, 2013 at 2:06 PM, k...@rice.edu k...@rice.edu wrote: On Wed, Dec 04, 2013 at 02:03:57PM -0600, Drew Decker wrote: Ken, Yea - I don't think this will work for us. Our domain is shared with the Isilon, so it would be lab.domain.com, and I don't want to forward the entire zone over to the Isilon. thanks! Yes, we put our Isilon in its own (sub)domain for exactly that reason. It made this easy. You could roll-your-own with lua in the recursor if a separate domain is not possible. Regards, Ken -- Best Regards, Drew Decker ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Michael, When you state If the A records that the NS points to are in the subdomain, glue records must be created in the parent domain/zone. - can you elaborate on how to do this? Everything else that you mentioned is DNS 101 and has already been done. Explain to me how and what I need to do about the DNS glue records in PowerDNS and I'll give it a try. Thanks! On Thu, Dec 12, 2013 at 6:36 PM, Michael Loftis mlof...@wgops.com wrote: I must be missing something because this is DNS 101. Just create NS records in the domain on the PDNS server that points at the isilon. If the A records that the NS points to are in the subdomain, glue records must be created in the parent domain/zone. There's no magic, insert the two records into your PowerDNS authoratitive servers records table, make sure that the clients can contact the isilon's UDP and TCP port 53 (where the A record points to) If you're still having issues I suggest using dig +trace to see whats going on, and dig in general to see if the isilon is even responding - it really sounds like you've got a firewall issue that's keeping anything from being able to contact the delegated-to nameserver. On Thu, Dec 12, 2013 at 4:17 PM, Drew Decker drewrocksh...@gmail.com wrote: Does anyone else know of a way to do this, or could give me some recommendations on how we could do this in or current configuration? We just need to be able to create a delegation in PowerDNS to use a different Nameserver on the actual isilon. We are basically delegating to the Isilon for a specific subdomain. Thanks! On Wed, Dec 4, 2013 at 2:06 PM, k...@rice.edu k...@rice.edu wrote: On Wed, Dec 04, 2013 at 02:03:57PM -0600, Drew Decker wrote: Ken, Yea - I don't think this will work for us. Our domain is shared with the Isilon, so it would be lab.domain.com, and I don't want to forward the entire zone over to the Isilon. thanks! Yes, we put our Isilon in its own (sub)domain for exactly that reason. It made this easy. You could roll-your-own with lua in the recursor if a separate domain is not possible. Regards, Ken -- Best Regards, Drew Decker ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler -- Best Regards, Drew Decker ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Michael, I think you only read a few posts on this thread, so I’ll give you some details of what had/has been done up to this point, as I read your entire email and from what you are saying, I’ve already done (which is why I’m reaching out to the community) - correct me if I’m wrong. I have a single zone: lab.example.com The isilon needs a delegated zone for it to use, so we simply chose isilon.lab.example.com From a PowerDNS perspective, lab.example.com lives on a single server pdns01 and the database server runs on its own dedicated hardware pdnsdb01. A single zone was created - lab.example.com We added the following DNS records to PowerDNS (in the lab.example.com zone): labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com. lab-isilon.lab.example.com. 900 IN A x.x.x.x Once we added this, it still does not work; when we ping labisilon.lab.example.com, it returns the IP from lab-isilon.lab.example.com, which would be as expected, but since the “x.x.x.x” IP is a SmartConnect IP on the Isilon, it actually takes that IP gives a random IP (depends on how the Isilon is configured) back to the client. So, in our case, we basically round-robin it, so each new request to the isilon should give us a new IP, until we get to the end, and then we start over. I just need to know if I’m missing something here, and if not, maybe it is an issue with the Isilon, in this case. I just want to make sure that I’m setting up DNS delegation correctly in PowerDNS, or if I’m missing something PowerDNS specific. Thanks for your continued input. -- Drew Decker On December 12, 2013 at 9:32:33 PM, Michael Loftis (mlof...@wgops.com) wrote: The most common and obvious example of glue is when you have a TLD such as GOV, COM, or EDU delegate your domain, your NS records usually exist within your domain so glue must exist higher up, exact same principal applies at every level where a delegation occurs. Say isil.lab.example.com is served by the isilon. This is the delegated subdomain. lab.example.com is served by other nameservers. The A record you're using could be ns1.isil.lab.example.com, and so must exist in both the isil.lab.example.com domain, AND the lab.example.com domain, in two seperate nameservers. You must have on BOTH the lab.example.com and the isil.lab.example.com domains and nameservers A records for out of zone nameservers in subdomains are called glue. Nothing magical. Everyone has some in COM, GOV, EDU, ORG, etc. If you take a look at google.com, you'll see ns1 through ns4.google.com -- those four A records exist in the COM zone as glue. Likewise, all four of those A records served by the COM nameservers are identical to the ones served by google.com nameservers. Same thing has to happen on subdomains if the A record points to something that exists inside the delegated domain. ns1.isil.lab.example.com IN A 127.1.1.2 isil.lab.example.com IN NS ns1.isil.lab.example.com And that leads into yet another pitfall, if those records are mismatched, BIND and most other resolvers will decide someone is trying to poison their cache and refuse to serve results for that domain (or subdomain, there is not any distinction to BIND and PowerDNS) On Thu, Dec 12, 2013 at 4:48 PM, Drew Decker drewrocksh...@gmail.com wrote: Michael, When you state If the A records that the NS points to are in the subdomain, glue records must be created in the parent domain/zone. - can you elaborate on how to do this? Everything else that you mentioned is DNS 101 and has already been done. Explain to me how and what I need to do about the DNS glue records in PowerDNS and I'll give it a try. Thanks! On Thu, Dec 12, 2013 at 6:36 PM, Michael Loftis mlof...@wgops.com wrote: I must be missing something because this is DNS 101. Just create NS records in the domain on the PDNS server that points at the isilon. If the A records that the NS points to are in the subdomain, glue records must be created in the parent domain/zone. There's no magic, insert the two records into your PowerDNS authoratitive servers records table, make sure that the clients can contact the isilon's UDP and TCP port 53 (where the A record points to) If you're still having issues I suggest using dig +trace to see whats going on, and dig in general to see if the isilon is even responding - it really sounds like you've got a firewall issue that's keeping anything from being able to contact the delegated-to nameserver. On Thu, Dec 12, 2013 at 4:17 PM, Drew Decker drewrocksh...@gmail.com wrote: Does anyone else know of a way to do this, or could give me some recommendations on how we could do this in or current configuration? We just need to be able to create a delegation in PowerDNS to use a different Nameserver on the actual isilon. We are basically delegating to the Isilon for a specific
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Michael, You are correct - my typo - it is labisilon (not simply isilon). When I do “dig @pdns01 NS labisilon.lab.example.com I get the following: $ dig @psl-pdns01 ns pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @psl-pdns01 ns pslisilon.lab.securustech.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 53684 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.example.com. IN NS ;; AUTHORITY SECTION: labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com. ;; ADDITIONAL SECTION: lab-isilon.lab.example.com. 900 IN A x.x.x.x ;; Query time: 59 msec I don’t believe the records are overlapping according to this output but please correct me if I’m wrong on this. -- Drew Decker Sent with Airmail On December 13, 2013 at 12:35:02 AM, Michael Loftis (mlof...@wgops.com) wrote: Is the delegated zone isilon or labisilon? I think you need to check the A, and NS records as you've mixed them up even in the email there. I would delegate a completely different sub domain than I would name the A record just to avoid such confusion, it sounds like you've got an NS and A records for the same name, which is why you're getting the static A record from powerdns. In your typed example you are using labisilon as the sub domain and lab-isilon as the A record and NS delegation... What does dig NS labisilon.lab.example.com @1.2.3.4 give you? (Replace 1.2.3.4 with the pdns auth server ip address) you should get back two records, one NS type pointing to lab-isilon and one A type giving the address to send UDP/TCP queries to. Sounds like that's where the problem is still. Your delegation shouldn't have any overlapping A records labisilon should be just an NS which points to lab-isilon, otherwise you get the behavior you described. Which is a broken delegation. On Dec 12, 2013 9:54 PM, Drew Decker drewrocksh...@gmail.com wrote: Michael, I think you only read a few posts on this thread, so I’ll give you some details of what had/has been done up to this point, as I read your entire email and from what you are saying, I’ve already done (which is why I’m reaching out to the community) - correct me if I’m wrong. I have a single zone: lab.example.com The isilon needs a delegated zone for it to use, so we simply chose isilon.lab.example.com From a PowerDNS perspective, lab.example.com lives on a single server pdns01 and the database server runs on its own dedicated hardware pdnsdb01. A single zone was created - lab.example.com We added the following DNS records to PowerDNS (in the lab.example.com zone): labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com. lab-isilon.lab.example.com. 900 IN A x.x.x.x Once we added this, it still does not work; when we ping labisilon.lab.example.com, it returns the IP from lab-isilon.lab.example.com, which would be as expected, but since the “x.x.x.x” IP is a SmartConnect IP on the Isilon, it actually takes that IP gives a random IP (depends on how the Isilon is configured) back to the client. So, in our case, we basically round-robin it, so each new request to the isilon should give us a new IP, until we get to the end, and then we start over. I just need to know if I’m missing something here, and if not, maybe it is an issue with the Isilon, in this case. I just want to make sure that I’m setting up DNS delegation correctly in PowerDNS, or if I’m missing something PowerDNS specific. Thanks for your continued input. -- Drew Decker On December 12, 2013 at 9:32:33 PM, Michael Loftis (mlof...@wgops.com) wrote: The most common and obvious example of glue is when you have a TLD such as GOV, COM, or EDU delegate your domain, your NS records usually exist within your domain so glue must exist higher up, exact same principal applies at every level where a delegation occurs. Say isil.lab.example.com is served by the isilon. This is the delegated subdomain. lab.example.com is served by other nameservers. The A record you're using could be ns1.isil.lab.example.com, and so must exist in both the isil.lab.example.com domain, AND the lab.example.com domain, in two seperate nameservers. You must have on BOTH the lab.example.com and the isil.lab.example.com domains and nameservers A records for out of zone nameservers in subdomains are called glue. Nothing magical. Everyone has some in COM, GOV, EDU, ORG, etc. If you take a look at google.com, you'll see ns1 through ns4.google.com -- those four A records exist in the COM zone as glue. Likewise, all four of those A records served by the COM nameservers are identical to the ones served by google.com nameservers. Same thing has to happen on subdomains if the A record points to something that exists inside the delegated domain. ns1.isil.lab.example.com IN A 127.1.1.2 isil.lab.example.com IN NS ns1.isil.lab.example.com And that leads into yet another
[Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
We are currently wanting to implement Isilon's SmartConnect features, which requres a delegation (NS) record to the Isilon. Unfortunately, their documentation only covers BIND and Microsoft DNS products. Is there a way to do the same thing in PowerDNS? If so, what is the correct way? Per the documentation, it shows the following for BIND: - BIND server: In BIND, a new name server (NS) record needs to be added to the existing authoritative DNS zone specifying the server of authority for the new sub-zone. For that, an A record must be added, specified in the NS record that points to the SIP address of the cluster. For example, if the SmartConnect zone name is cluster.example.com, the DNS entries would looks like: cluster.example.com IN NS sip.example.com sip.example.com IN A {IPaddress} - Unfortunately, it doesn't appear to work on our end - it says hostname not found - but all other DNS records work for the parent domain on our end - it is just this one that is not working. Please let me know if you'd like me to provide more information on the setup of our PowerDNS servers. -- Best Regards, Drew Decker ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Hi Drew, If all you need are an NS record and an A record, PowerDNS will work just fine. If you've already created your records, please post your config, how to reproduce the problem, and any records you've already created. That way we can query your nameservers and see what's what. John On 12/04/2013 02:18 PM, Drew Decker wrote: We are currently wanting to implement Isilon's SmartConnect features, which requres a delegation (NS) record to the Isilon. Unfortunately, their documentation only covers BIND and Microsoft DNS products. Is there a way to do the same thing in PowerDNS? If so, what is the correct way? Per the documentation, it shows the following for BIND: - BIND server: In BIND, a new name server (NS) record needs to be added to the existing authoritative DNS zone specifying the server of authority for the new sub-zone. For that, an A record must be added, specified in the NS record that points to the SIP address of the cluster. For example, if the SmartConnect zone name is cluster.example.com http://cluster.example.com, the DNS entries would looks like: cluster.example.com http://cluster.example.com IN NS sip.example.com http://sip.example.com sip.example.com http://sip.example.com IN A {IPaddress} - Unfortunately, it doesn't appear to work on our end - it says hostname not found - but all other DNS records work for the parent domain on our end - it is just this one that is not working. Please let me know if you'd like me to provide more information on the setup of our PowerDNS servers. -- Best Regards, Drew Decker ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
** This time I'm replying to all - sorry ** John, Thanks for the response. They are internal nameservers, so you won't be able to query them. Let me send you some configuration data: allow-recursion=0.0.0.0/0 launch=gmysql gmysql-host=z.z.z.z gmysql-user=pdns gmysql-password=pdns gmysql-dbname=pdns local-address=x.x.x.x log-dns-queries=yes logging-facility=0 loglevel=9 recursor=y.y.y.y module-dir=/usr/lib64 socket-dir=/var/run/pdns-server setuid=powerdns setgid=powerdns As for the items created - our main zone is lab.domain.com dig @pdns01 lab.domain.com axfr filtered out for just the two items labisilon.lab.domain.com. 900 IN NS lab-isilon.lab.domain.com. lab-isilon.lab.domain.com. 900 IN A w.w.w.w The above output is from the axfr from dig. As for the MySQL records: id domain_id name type content ttl prio change_date 75732 261 labisilon.lab.domain.com NS lab-isilon.lab.domain.com 900 NULL 1386183853 75733 261 lab-isilon.lab.domain.com A w.w.w.w 900 NULL 1386183853 And when I try to ping the record: ping labisilon.lab.securustech.net ping: unknown host labisilon.lab.domain.com Let me know your thoughts. On Wed, Dec 4, 2013 at 1:26 PM, John Miller johnm...@brandeis.edu wrote: Hi Drew, If all you need are an NS record and an A record, PowerDNS will work just fine. If you've already created your records, please post your config, how to reproduce the problem, and any records you've already created. That way we can query your nameservers and see what's what. John On 12/04/2013 02:18 PM, Drew Decker wrote: We are currently wanting to implement Isilon's SmartConnect features, which requres a delegation (NS) record to the Isilon. Unfortunately, their documentation only covers BIND and Microsoft DNS products. Is there a way to do the same thing in PowerDNS? If so, what is the correct way? Per the documentation, it shows the following for BIND: - BIND server: In BIND, a new name server (NS) record needs to be added to the existing authoritative DNS zone specifying the server of authority for the new sub-zone. For that, an A record must be added, specified in the NS record that points to the SIP address of the cluster. For example, if the SmartConnect zone name is cluster.example.com http://cluster.example.com, the DNS entries would looks like: cluster.example.com http://cluster.example.com IN NS sip.example.com http://sip.example.com sip.example.com http://sip.example.com IN A {IPaddress} - Unfortunately, it doesn't appear to work on our end - it says hostname not found - but all other DNS records work for the parent domain on our end - it is just this one that is not working. Please let me know if you'd like me to provide more information on the setup of our PowerDNS servers. -- Best Regards, Drew Decker ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Best Regards, Drew Decker ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
On Wed, Dec 04, 2013 at 01:18:40PM -0600, Drew Decker wrote: We are currently wanting to implement Isilon's SmartConnect features, which requres a delegation (NS) record to the Isilon. Unfortunately, their documentation only covers BIND and Microsoft DNS products. Is there a way to do the same thing in PowerDNS? If so, what is the correct way? Per the documentation, it shows the following for BIND: - BIND server: In BIND, a new name server (NS) record needs to be added to the existing authoritative DNS zone specifying the server of authority for the new sub-zone. For that, an A record must be added, specified in the NS record that points to the SIP address of the cluster. For example, if the SmartConnect zone name is cluster.example.com, the DNS entries would looks like: cluster.example.com IN NS sip.example.com sip.example.com IN A {IPaddress} - Unfortunately, it doesn't appear to work on our end - it says hostname not found - but all other DNS records work for the parent domain on our end - it is just this one that is not working. Please let me know if you'd like me to provide more information on the setup of our PowerDNS servers. -- Best Regards, Drew Decker Hi Drew, We do this in the recursor, not in the authoritative server, with pdns-recursor using the forward-zones option. For your example, it would be a line something like this: forward-zones=cluster.example.com={IP address} Regards, Ken ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Ken, Yea - I don't think this will work for us. Our domain is shared with the Isilon, so it would be lab.domain.com, and I don't want to forward the entire zone over to the Isilon. thanks! On Wed, Dec 4, 2013 at 1:57 PM, k...@rice.edu k...@rice.edu wrote: On Wed, Dec 04, 2013 at 01:18:40PM -0600, Drew Decker wrote: We are currently wanting to implement Isilon's SmartConnect features, which requres a delegation (NS) record to the Isilon. Unfortunately, their documentation only covers BIND and Microsoft DNS products. Is there a way to do the same thing in PowerDNS? If so, what is the correct way? Per the documentation, it shows the following for BIND: - BIND server: In BIND, a new name server (NS) record needs to be added to the existing authoritative DNS zone specifying the server of authority for the new sub-zone. For that, an A record must be added, specified in the NS record that points to the SIP address of the cluster. For example, if the SmartConnect zone name is cluster.example.com, the DNS entries would looks like: cluster.example.com IN NS sip.example.com sip.example.com IN A {IPaddress} - Unfortunately, it doesn't appear to work on our end - it says hostname not found - but all other DNS records work for the parent domain on our end - it is just this one that is not working. Please let me know if you'd like me to provide more information on the setup of our PowerDNS servers. -- Best Regards, Drew Decker Hi Drew, We do this in the recursor, not in the authoritative server, with pdns-recursor using the forward-zones option. For your example, it would be a line something like this: forward-zones=cluster.example.com={IP address} Regards, Ken -- Best Regards, Drew Decker ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
On Wed, Dec 04, 2013 at 02:03:57PM -0600, Drew Decker wrote: Ken, Yea - I don't think this will work for us. Our domain is shared with the Isilon, so it would be lab.domain.com, and I don't want to forward the entire zone over to the Isilon. thanks! Yes, we put our Isilon in its own (sub)domain for exactly that reason. It made this easy. You could roll-your-own with lua in the recursor if a separate domain is not possible. Regards, Ken ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users