Hi Folks, Just having come confusion with the pdns-recursor forward-zones-file settings, which I will describe..
Due to migrating to the newest versions of pdns and losing the recursor settings, I have been following the migration guide (https://doc.powerdns.com/authoritative/guides/recursion.html), scenario 2. We do plan on fully separating Auth and Recursion, but for now I need them both on the same IP. Dnsdist (1.3.3) is configured on 53 and I have a list of allowed subnets for recursion, everyone else is sent to the authoritative . pdns (4.1.5) is on localhost:5300 pdns-recursor (4.1.8) is on localhost:5301 Externally, authoritative requests are working fine and dnsdist sends correctly to localhost:5300 and the response has the "aa" flag. All good. Recursion is working fine from a whitelisted IP to external domains OK... dig @my-server bbc.co.uk ; <<>> DiG 9.9.5-3ubuntu0.15-Ubuntu <<>> @localhost bbc.co.uk ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14732 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;bbc.co.uk. IN A ;; ANSWER SECTION: bbc.co.uk. 300 IN A 151.101.128.81 bbc.co.uk. 300 IN A 151.101.0.81 bbc.co.uk. 300 IN A 151.101.64.81 bbc.co.uk. 300 IN A 151.101.192.81 However, I can no longer get a response from any zone on my Auth server, as dnsdist see's my IP as on the whitelist and keeps sending me to the recursor rather than the auth and so I get a fail. To work around this, my zones are also defined in the pdns-recursor config in the forward-zone-file, which is included and correctly read on restart. Example from forward-zones-file: tibus.net=127.0.0.1:5300 I can now query this zone OK from a whitelisted IP and get a response, however, I do not get "aa" flag, but instead "rd". dig @my-server tibus.net ; <<>> DiG 9.9.5-3ubuntu0.15-Ubuntu <<>> @localhost tibus.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21395 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;tibus.net. IN A ;; ANSWER SECTION: tibus.net. 1699 IN A 89.185.148.64 According to the documentation the zones listed in the forward-zone-file will only have the recursion-desired bit set if they are prefixed with a "+" ("Zones prefixed with a '+' are forwarded with the recursion-desired bit set") I do not have this prefix, but yet the bit is set. Have I confused this settings meaning, misconfigured or should I be getting an "aa" flag? Many thanks, Alun
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
