Something like lazy recursion

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Something like lazy recursion

Martin-2
Hi,

i try to migrate our local dns server from pdns 2.9.22 to pdns 3.3.3, but
there is one problem.

We use ldap backend and we have our domain on external auth dns and this same
domain also on local dns, becase there are some records which are different for
local and external and some records are only for local.

It was working fine, but after upgrade it's not, and i can see that lazy-
recursion was removed.

It's there any chance to get old behaviour back ?

According documentation it should work, but it's not.

From documentation

---------------------------------------------------------------
To make sure that the local authoritative database overrides recursive
information, PowerDNS first tries to answer a question from its own database.
If that succeeds, the answer packet is sent back immediately without involving
the recursor in any way. This means that for questions for which there is no
answer, PowerDNS will consult the recursor for an recursive query, even if
PowerDNS is authoritative for a domain!
--------------------------------------------------------------

Many thanks

Martin


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Something like lazy recursion

Nick Douma
Hi,

On 20-01-16 10:25, Martin wrote:
> i try to migrate our local dns server from pdns 2.9.22 to pdns 3.3.3, but
> there is one problem.
>
> We use ldap backend and we have our domain on external auth dns and
this same
> domain also on local dns, becase there are some records which are
different for

> local and external and some records are only for local.
>
> It was working fine, but after upgrade it's not, and i can see that lazy-
> recursion was removed.
>
> It's there any chance to get old behaviour back ?
>
> According documentation it should work, but it's not.
>
> From documentation
>
> ---------------------------------------------------------------
> To make sure that the local authoritative database overrides recursive
> information, PowerDNS first tries to answer a question from its own
database.
> If that succeeds, the answer packet is sent back immediately without
involving
> the recursor in any way. This means that for questions for which there
is no
> answer, PowerDNS will consult the recursor for an recursive query,
even if
> PowerDNS is authoritative for a domain!
> --------------------------------------------------------------

This sounds like what I tried to achieve using PowerDNS 3.7, but failed.
I sent a mail to the list titled "Partially authoritative server", but
have not yet received a solution.

Kind regards,

Nick Douma


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Something like lazy recursion

Martin-2
On Wednesday 20 of January 2016 12:03:00 Nick Douma wrote:

> Hi,
>
> On 20-01-16 10:25, Martin wrote:
> > i try to migrate our local dns server from pdns 2.9.22 to pdns 3.3.3, but
> > there is one problem.
> >
> > We use ldap backend and we have our domain on external auth dns and
>
> this same
>
> > domain also on local dns, becase there are some records which are
>
> different for
>
> > local and external and some records are only for local.
> >
> > It was working fine, but after upgrade it's not, and i can see that lazy-
> > recursion was removed.
> >
> > It's there any chance to get old behaviour back ?
> >
> > According documentation it should work, but it's not.
> >
> > From documentation
> >
> > ---------------------------------------------------------------
> > To make sure that the local authoritative database overrides recursive
> > information, PowerDNS first tries to answer a question from its own
>
> database.
>
> > If that succeeds, the answer packet is sent back immediately without
>
> involving
>
> > the recursor in any way. This means that for questions for which there
>
> is no
>
> > answer, PowerDNS will consult the recursor for an recursive query,
>
> even if
>
> > PowerDNS is authoritative for a domain!
> > --------------------------------------------------------------
>
> This sounds like what I tried to achieve using PowerDNS 3.7, but failed.
> I sent a mail to the list titled "Partially authoritative server", but
> have not yet received a solution.
>
> Kind regards,
>
> Nick Douma

Hi, yes it seems exactly the same problem, but as i said, it's working as
expected in previous versions.

So i hope, someone will explain how to achieve old behaviour.

Regards

Martin

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Something like lazy recursion

Pieter Lexis-2
In reply to this post by Martin-2
Hi Martin (and also Nick),

On Wed, 20 Jan 2016 10:25:53 +0100 Martin <[hidden email]> wrote:

> We use ldap backend and we have our domain on external auth dns and this same
> domain also on local dns, becase there are some records which are different for
> local and external and some records are only for local.

Split-horizon with PowerDNS is not possible, further more, it is highly recommended not to have the authoritative server do the recursion. I would recommend doing full split horizon by as follows:

+---------+       +------+       +---------+
| Auth on | <---> | LDAP | <---> | Auth on |
|   ::1   |       +------+       | public  |
+---------+                      +---------+
     ^                                ^
     |                                |
     v                                v
+----------+                      (internet)
| Recursor |  <--> (internal)
+----------+       (network )

The recursor should have `forward-zones=yourzone.com=[::1]:53`[1] configured. This way, questions for for yourzone.com will be passed from the recursor to the local authoritative server. By using different binddn's and filters or attributes, you could restrict the records seen by either Authoritative Server.

This way you can serve the internal records to the users of the recursor and other records to the internet.

> According documentation it should work, but it's not.
>
> From documentation
> [snip]

This discusses the fact that PowerDNS tries additional processing _with_ the recursor component when it is enabled.

Hope this helps, best regards,

Pieter

1 - https://doc.powerdns.com/md/recursor/settings/#forward-zones

--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Something like lazy recursion

Nick Douma
Hi

On 20-01-16 17:39, Pieter Lexis wrote:
> The recursor should have `forward-zones=yourzone.com=[::1]:53`[1]
configured. This way, questions for for yourzone.com will be passed from
the recursor to the local authoritative server. By using different
binddn's and filters or attributes, you could restrict the records seen
by either Authoritative Server.


Does this also work for partial auth zones on the internal auth? Can I
let the internal recursor also try the 'normal' recursion path if the
internal auth returns a NXDOMAIN?

Also, is there a way to automatically/programmatically let the recursor
determine the forward-zone property?

Kind regards,

Nick Douma


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users

signature.asc (853 bytes) Download Attachment