PowerDNS subdomain delegation, no answers

I'm having trouble redirecting subdomain to other DNS.

I have:

main exsisting domain: d and new subdomain:

| 8412 | 42 | test1.d | NS | ns1.test.test1.d
| 8413 | 42 | test1.d | NS | ns2.test.test1.d
| 8414 | 42 | ns1.test.test1.d | A | 10.64.91.100
| 8415 | 42 | ns2.test.test1.d | A | 10.64.91.200

and return:

 dig admin.test1.d

; <<>> DiG 9.10.6 <<>> admin.test1.d
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23733
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;admin.test1.d.         IN  A

;; AUTHORITY SECTION:
test1.d.            60  IN  NS  ns1.test.test1.d.
test1.d.            60  IN  NS  ns2.test.test1.d.

;; ADDITIONAL SECTION:
ns2.test.test1.d.   60  IN  A   10.64.91.200
ns1.test.test1.d.   60  IN  A   10.64.91.100

But it doesn't return records correctly. Example record A is empty.

If I ask 10.64.91.100 records are returned correctly.

dig @10.64.91.100 admin.test1.d

; <<>> DiG 9.10.6 <<>> @10.64.91.100 admin.test1.d
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27387
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;admin.test1.d.         IN  A

;; ANSWER SECTION:
admin.test1.d.      86400   IN  A   10.64.91.50

My configuration pdns:

allow-axfr-ips=10.64.91.112

also-notify=10.64.91.112

only-notify=10.64.91.112

api=yes

api-key=XXXXXXXXX


daemon=yes

default-soa-content=ns1.test.eu1.d. admin.domain.pl. 0 10800 3600 604800 3600

default-ttl=3600

disable-axfr=no

guardian=yes

include-dir=/etc/powerdns/pdns.d

launch=

local-address=10.64.91.111

local-port=53

log-dns-details=on

loglevel=4

master=yes

receiver-threads=2

setgid=pdns

setuid=pdns

slave=no

webserver=yes

webserver-address=10.64.91.111


webserver-allow-from=10.64.91.20

webserver-port=8081

query-cache-ttl=60

MySQL:

# MySQL Configuration
# Launch gmysql backend
launch+=gmysql
# gmysql parameters
gmysql-host=localhost
gmysql-port=3306
gmysql-dbname=XXXX
gmysql-user=XXXXX
gmysql-password=XXXXX
gmysql-dnssec=yes
# gmysql-socket=

Any ideas?

I saw

Powerdns Subdomain & Delegation

and https://nsrc.org/workshops/2010/sanog16/raw-attachment/wiki/DNS/dns4-presentation.pdf

It should work.

In 10.64.91.100 and 10.64.91.100 I use dnsdist.

/etc/dnsdist/dnsdist.conf 
-- dnsdist configuration file, an example can be found in /usr/share/doc/dnsdist/examples/

-- disable security status polling via DNS

setLocal("0.0.0.0:53")
setACL({"0.0.0.0/0", "::/0"})

newServer({address="10.64.91.111:54"})
newServer({address="10.64.91.112:54"})
setServerPolicy(wrandom)

in 10.64.91.111 and 10.64.91.112 I use PowerDNS Recursor.

cat /etc/powerdns/recursor.conf 
local-address=10.64.91.111
local-port=54
allow-from=10.0.0.0/8, 127.0.0.0/8, 10.12.0.0/16, 10.13.0.0/16, 195.88.50.0/26, 10.66.0.0/16, 10.64.0.0/16
forward-zones=d=10.64.91.111:53

If I understand the question correctly, it seems to just be a case of mismatched expectations.

In the first dig command in the question it appears that you are querying the authoritative server directly, and when asked about names in the delegated child zone it just responds with referral information.
This really is all that is expected of an authoritative-only server, there is nothing unexpected happening here.

For a full test from the perspective of a client machine (instead of just one step in the series of queries needed to get the final answer), you would direct the query to a resolver server instead. If that is a missing piece in the infrastructure, that would be for instance one of PowerDNS Recursor (as opposed to PowerDNS Authoritative), Unbound, BIND with recursion enabled, Knot Resolver, etc.

This is the type of server that would be configured on client machines (in resolv.conf or whatever configuration mechanism the client OS has), and which will follow the chain of delegations to actually get the answers that clients were asking for, as opposed to an authoritative server which has the role of just serving the data it has (and in the case of a delegation, just sending a referral as seen in the question).

Okay, it works.

I added in recursor.conf dont-query and deleted 10.0.0.0/8.

Default is:

Default: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32