Thanks again Pieter, > The trace is not complete,
Did you notice the link to pastebin? I think that very long log is complete: > Here is the filing dig: > > https://pastebin.com/NeUNyWfF > > Log when cioredns forwards: > > https://pastebin.com/DsNH1akb1 > but you might have to either set an NTA for .lan in your config[1] or set > dnssec=off in you recursor.conf. Do the first if you care about DNSSEC > validation or the second if you don't care about it. After disbling dnssec, dig works but queries from coredns do not. [BTW: what is the proper wy to restart the recursor? I'm in docker so I restart the docker but I guess there's a simpler way. In my docker I have rec_control, bu no commadn seems the prot on one: reload-lua-script / reload-lua-config, reload-zones...] After disabling dnssec logs are: dig (working): recursor_1 | Oct 21 20:31:44 2 [57/1] question for 'dns1b.thux.lan|A' from 10.1.201.111:37680 recursor_1 | Oct 21 20:31:44 [57] : no TA found for 'dns1b.thux.lan' among 1 recursor_1 | Oct 21 20:31:44 [57] : no TA found for 'thux.lan' among 1 recursor_1 | Oct 21 20:31:44 [57] : no TA found for 'lan' among 1 recursor_1 | Oct 21 20:31:44 [57] : got TA for '.' recursor_1 | Oct 21 20:31:44 [57] QM dns1b.thux.lan.|A child=(empty): doResolve recursor_1 | Oct 21 20:31:44 [57] dns1b.thux.lan: Wants NO DNSSEC processing, auth data in query for A recursor_1 | Oct 21 20:31:44 [57] dns1b.thux.lan: Recursion not requested for 'dns1b.thux.lan|A', peeking at auth/forward zones recursor_1 | Oct 21 20:31:44 [57] dns1b.thux.lan: Found cache hit for A: 10.2.201.135[ttl=98] recursor_1 | Oct 21 20:31:44 [57] dns1b.thux.lan: updating validation state with cache content for dns1b.thux.lan to Indeterminate recursor_1 | Oct 21 20:31:44 [57] QM dns1b.thux.lan.|A child=(empty): Step0 Found in cache recursor_1 | Oct 21 20:31:44 2 [57/1] answer to question 'dns1b.thux.lan|A': 1 answers, 1 additional, took 0 packets, 0 netw ms, 0 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 A different recursor, same conf (much longer log): https://pastebin.com/qkdxmBvf from the container via coredns (failing): https://pastebin.com/XRXpEEHZ In this case I don't have 'dig', I'm using nslookup or ping: # kubectl attach shpod -it If you don't see a command prompt, try pressing enter. shpod:~# nslookup dns1b.thux.lan Server: 10.152.183.10 Address: 10.152.183.10:53 ** server can't find dns1b.thux.lan: NXDOMAIN Non-authoritative answer: *** Can't find dns1b.thux.lan: No answer shpod:~# ping dns1b.thux.lan ping: bad address 'dns1b.thux.lan' sandro *:-) _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
