Powerdns Problem with Delegation to Isilon.

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Powerdns Problem with Delegation to Isilon.

syaginf
Greetings.
We are in the process of migrating from Bind to Powerdns on one of our compute cluster.
Issue we are having is related to DNS Delegation for Isilon (Related to Isilon Smart Connect feature.)

Server is Master for .hpc
we need to delegate for isilon.hpc

In order to achive that we have

isilon.hpc -> NS isilon-dns.hpc
isilon-dns.hpc -> A record with Ip address.

This works like a Charm in Bind on one of the old servers and doesn't work in PowerDNS.

Any suggestion on what we might be missing and what might have to be enabled, or troubleshooting steps would be appreciated.

This is result of DIG command on the old server.

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @127.0.0.1 isilon.hpc
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45472
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;isilon.hpc.                    IN      A

;; ANSWER SECTION:
isilon.hpc.             0       IN      A       192.168.3.121

;; AUTHORITY SECTION:
isilon.hpc.             259200  IN      NS      isilon-dns.hpc.

;; ADDITIONAL SECTION:
isilon-dns.hpc.         259200  IN      A       192.168.3.0

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 23 09:38:53 2016
;; MSG SIZE  rcvd: 85

Here are result for the PowerDNS server

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @127.0.0.1 isilon.hpc
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18138
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;isilon.hpc.                    IN      A

;; AUTHORITY SECTION:
isilon.hpc.             259200  IN      NS      isilon-dns.hpc.

;; ADDITIONAL SECTION:
isilon-dns.hpc.         259200  IN      A       192.168.3.0

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 22 20:51:20 EDT 2016
;; MSG SIZE  rcvd: 80

Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

ktm@rice.edu
On Wed, Mar 23, 2016 at 05:44:56AM -0700, syaginf wrote:

> Greetings.
> We are in the process of migrating from Bind to Powerdns on one of our
> compute cluster.
> Issue we are having is related to DNS Delegation for Isilon (Related to
> Isilon Smart Connect feature.)
>
> Server is Master for .hpc
> we need to delegate for isilon.hpc
>
> In order to achive that we have
>
> isilon.hpc -> NS isilon-dns.hpc
> isilon-dns.hpc -> A record with Ip address.
>
> This works like a Charm in Bind on one of the old servers and doesn't work
> in PowerDNS.
>
> Any suggestion on what we might be missing and what might have to be
> enabled, or troubleshooting steps would be appreciated.
>

Hi,

The results of the dig command against the old server includes the A
record for the isilon.hpc. This must come from your isilon-dns.hpc
server so your bind must be performing recursion to present that value
back. The PDNS server is only an authoritative server. For recursion,
we use pdns-recursor here and use the forward-zone feature to route
Isilon lookups to the correct server.

> This is result of DIG command on the old server.
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @127.0.0.1 isilon.hpc
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45472
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;isilon.hpc.                    IN      A
>
> ;; ANSWER SECTION:
> isilon.hpc.             0       IN      A       192.168.3.121
>
> ;; AUTHORITY SECTION:
> isilon.hpc.             259200  IN      NS      isilon-dns.hpc.
>
> ;; ADDITIONAL SECTION:
> isilon-dns.hpc.         259200  IN      A       192.168.3.0
>
> ;; Query time: 1 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Mar 23 09:38:53 2016
> ;; MSG SIZE  rcvd: 85
>

These results are correct for an authoritative server w/o recursion. Bind
has both functions integrated into the same product:

> Here are result for the PowerDNS server
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @127.0.0.1 isilon.hpc
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18138
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1680
> ;; QUESTION SECTION:
> ;isilon.hpc.                    IN      A
>
> ;; AUTHORITY SECTION:
> isilon.hpc.             259200  IN      NS      isilon-dns.hpc.
>
> ;; ADDITIONAL SECTION:
> isilon-dns.hpc.         259200  IN      A       192.168.3.0
>
> ;; Query time: 4 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Mar 22 20:51:20 EDT 2016
> ;; MSG SIZE  rcvd: 80
>

Good luck.

Regards,
Ken
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

syaginf
I have pdns-recursor configured.
It works for outside addresses , but I can't seem to make it respond for this type of requests.

Indeed what happens on bind side is isilon would return one of the addresses from dynamic pool.
So if I keep repeating requests I will keep getting different addresses most of the time.

So far I wasn't able to replicate this kind of behavior using PDNS with PDNS-Recursor.

What would be the config changes?
Do I have to keep the 2 records I have and add something like
forward-zones in recursor?
What would be the record.
forward-zones=isilon.hpc=192.168.3.0?
or
forward-zones=isilon-dns.hpc=192.168.3.0?

PDNS is master for .hpc so what would make it got and use recursor for records in hpc domain?
Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

ktm@rice.edu
On Wed, Mar 23, 2016 at 06:12:53AM -0700, syaginf wrote:

> I have pdns-recursor configured.
> It works for outside addresses , but I can't seem to make it respond for
> this type of requests.
>
> Indeed what happens on bind side is isilon would return one of the addresses
> from dynamic pool.
> So if I keep repeating requests I will keep getting different addresses most
> of the time.
>
> So far I wasn't able to replicate this kind of behavior using PDNS with
> PDNS-Recursor.
>
> What would be the config changes?
> Do I have to keep the 2 records I have and add something like
> forward-zones in recursor?
> What would be the record.

This one. You want lookups for this domain to be handled by your Isilon DNS
service.

> forward-zones=isilon.hpc=192.168.3.0?

Not this. The zone to forward is the one that will be served.

> or
> forward-zones=isilon-dns.hpc=192.168.3.0?
>
> PDNS is master for .hpc so what would make it got and use recursor for
> records in hpc domain?
>

Regards,
Ken
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

syaginf
In reply to this post by syaginf
This is the part I don't understand I guess.
what would be the forward zone that I am serving?
if it's not isilon.hpc and not isilon-dns.hpc? What exactly am I serving and how do I put it in?
forward-zone=???=???

Because what is happening is nfs would query isilon.hpc and it need to resolve that to ip address of some sort to perform nfs mount.

Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

syaginf
In reply to this post by ktm@rice.edu
Ok. This is clearly a part I don't understand then.
So i need to put something in
forward-zones=

But what do it put there?
it's not isilon.hpc and not isilon-dns.hpc
So what is it?
forward-zone=????=???

What i need to happen is NFS queary isilon.hpc and get ip address and use it to do mount.
I am sure answer is something simple, but I am clearly not getting what it should be.
Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

ktm@rice.edu
In reply to this post by syaginf
On Wed, Mar 23, 2016 at 06:30:47AM -0700, syaginf wrote:
> This is the part I don't understand I guess.
> what would be the forward zone that I am serving?
> if it's not isilon.hpc and not isilon-dns.hpc? What exactly am I serving and
> how do I put it in?
> forward-zone=???=???
>
> Because what is happening is nfs would query isilon.hpc and it need to
> resolve that to ip address of some sort to perform nfs mount.
>

You need to put the zone for lookups: isilon.hpc and the IP address of its name
server:

forward-zone=isilon.hpc=a.b.c.d

and restart/reload pdns-recursor.

Regards,
Ken
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

syaginf
I had tried that before posting here, but the result is the same.

when putting
forward-zones=isilon.hpc=192.168.3.0

I still don't get answer for A record.
Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

syaginf
I have tried following options as this point
 forward-zones=isilon.hpc=192.168.3.0
forward-zones=+isilon.hpc=192.168.3.0
forward-zones-recurse=192.168.3.0

None of them provide me with result that I need.
I still don't get A record answer.

On Wed, Mar 23, 2016 at 07:12:28AM -0700, syaginf wrote:
> I had tried that before posting here, but the result is the same.
>
> when putting
> forward-zones=isilon.hpc=192.168.3.0
>
> I still don't get answer for A record.
>
Try either:

forward-zones-recurse=isilon.hpc=192.168.3.0

or

forward-zones=+isilon.hpc=192.168.3.0

Regards,
Ken
Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

syaginf
What is interesting with
forward-zones=isilon.hpc=192.168.3.0 set
if I do dig and point to recursor dns and port - I get the A record I need.
But when I ask PDNS server i don't get A record.
So it seems like I need to do something that would make PDNS ask recursor about this and it's not happening right now.

I can ask for things like google.com and get response fine so there is communication with recursor happening.
Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

David-2
On 2016-03-23 9:03 AM, syaginf wrote:

> What is interesting with
> forward-zones=isilon.hpc=192.168.3.0 set
> if I do dig and point to recursor dns and port - I get the A record I need.
> But when I ask PDNS server i don't get A record.
> So it seems like I need to do something that would make PDNS ask recursor
> about this and it's not happening right now.
>
> I can ask for things like google.com and get response fine so there is
> communication with recursor happening.
>
>

Sounds like you are doing things backwards. You should be asking all
your questions to the recursor and the recursor will have a forward zone
for your internal domain to your pdns-auth server. That way, the
recursor is doing what it does best (recursive lookups) and your
pdns-auth server is just doing auth.

Does that make sense?
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

ktm@rice.edu
In reply to this post by syaginf
On Wed, Mar 23, 2016 at 07:50:37AM -0700, syaginf wrote:
> I have tried following options as this point
>  forward-zones=isilon.hpc=192.168.3.0
> forward-zones=+isilon.hpc=192.168.3.0
> forward-zones-recurse=192.168.3.0
>
> None of them provide me with result that I need.
> I still don't get A record answer.
>

Hi,

It works for us but we are using a real domain/subdomain and not a
made up one. If you turn on the trace option for the pdns-recursor,
I suspect that you never get to the right place because the hpc
domain does not exist. Try making the domain a subdomain of your
domain, or alternatively, there is an option for pdns-recursor to
server some zones authoritatively from a bind-style config file.
Maybe that could be used to enable your made up domainname to work.

Regards,
Ken
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

ktm@rice.edu
In reply to this post by syaginf
On Wed, Mar 23, 2016 at 08:03:04AM -0700, syaginf wrote:
> What is interesting with
> forward-zones=isilon.hpc=192.168.3.0 set
> if I do dig and point to recursor dns and port - I get the A record I need.
> But when I ask PDNS server i don't get A record.
> So it seems like I need to do something that would make PDNS ask recursor
> about this and it's not happening right now.
>

Hi,

You cannot get this answer from the authoritative server. You must use a
recursive DNS server for that. You should be talking to a DNS recursor
for client DNS lookups and not the authoritative-only PDNS server. The
recursor will take care of asking the auth server for what it needs.
We used iptables+nat to have the campus hit the pdns-recursor and off-campus,
who should not get recursion, hit the PDNS auth server.

Regards,
Ken
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

syaginf
In reply to this post by David-2
Ok. So maybe we are doing things a wrong way.
Currently we have pdns running on port 53.
we have recursor running on port 8699

in pdns.conf we have
allow-recursor=127.0.0.0/8,192.168.3.0/24
recursor=127.0.0.1:8699


So nodes send requests to main pdns auth server and if it's not part of hpc it is going to recursor.

Are you suggesting to run recursor on 53
PDNS on port 8699
and have nodes talk to recursor directly?

What would forward-zones= will look to make recursor ask pdns about .hpc addresses?

David-2 wrote
On 2016-03-23 9:03 AM, syaginf wrote:


Sounds like you are doing things backwards. You should be asking all
your questions to the recursor and the recursor will have a forward zone
for your internal domain to your pdns-auth server. That way, the
recursor is doing what it does best (recursive lookups) and your
pdns-auth server is just doing auth.

Does that make sense?
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

syaginf
Seems like it works if we do it this way.
Recursor on port 53

PDNS on custom port 8669
add
forward-zones=isilon.hpc=192.168.3.0,hpc=127.0.0.1:8669

Good to know that I was doing this all backwards.
Reply | Threaded
Open this post in threaded view
|

Re: Powerdns Problem with Delegation to Isilon.

David-2
In reply to this post by syaginf
On 2016-03-23 11:31 AM, syaginf wrote:
>
> Are you suggesting to run recursor on 53
> PDNS on port 8699
> and have nodes talk to recursor directly?
>
> What would forward-zones= will look to make recursor ask pdns about .hpc
> addresses?
>
>

This is how most people would do it; yes.

forward-zones=hpc.=127.0.0.1:8699
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users