Score:-1

PowerDNS Auth and Recursor - Bug with one domain?

tm flag

I have a problem with one of my domains on my private DNS. I have two servers.

Server 1 with dnsdist. It directs to port 54 to server 2

Server 2 with powerdns (port 53) and powerdns-recursor (port 54)

My configuration is working fine.

pdns.conf

allow-axfr-ips=X.X.X.X

also-notify=X.X.X.X

only-notify=X.X.X.X

daemon=yes

default-soa-content=ns1.example.eu1. admin.example.eu. 0 10800 3600 604800 3600

default-ttl=3600

disable-axfr=no

guardian=yes

include-dir=/etc/powerdns/pdns.d

launch=

local-address=X.X.X.X

local-port=53

log-dns-details=on

loglevel=4

master=yes

receiver-threads=2

setgid=pdns

setuid=pdns

slave=no


query-cache-ttl=60

Recursor.conf

dont-query=127.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32
allow-from=10.0.0.0/8, 127.0.0.0/8, 10.12.0.0/16, 10.13.0.0/16, 195.88.50.0/26, 10.66.0.0/16, 10.64.0.0/16
local-address=X.X.X.X
local-port=54
forward-zones=admin=X.X.X.X:53
max-negative-ttl=300

And I am getting records from the internet correctly. For example:

dig gmail.com TXT @X.X.X.X

; <<>> DiG 9.10.6 <<>> gmail.com TXT @X.X.X.X
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21866
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gmail.com.         IN  TXT

;; ANSWER SECTION:
gmail.com.      103 IN  TXT "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
gmail.com.      103 IN  TXT "v=spf1 redirect=_spf.google.com"

But I ran into a problem with one domain. More specifically, with one TXT record. It returns me the A, NS record correctly. But not TXT.

dig domain.pl TXT @X.X.X.X

(this domains is example ;) )

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47032
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.pl.         IN  TXT

When I add 8.8.8

dig domain.pl TXT @8.8.8.8 

It gets correctly

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10134
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;domain.pl.         IN  TXT

;; ANSWER SECTION:
domain.pl.      3600    IN  TXT "FHEdYvpM4TH6rmkf5U/YZ9I7VY6j3YftBJ1W7TVNh+ymbXU++rhkb1sXGnleSybC8NnUtP2ALk7/mAHE9LVgGg=="

And it's not a cache. It was cleaned. It just doesn't see the TXT record every time.

Anyone have any ideas?

In the logs, I see:

Failed to resolve via any of the 2 offered NS at level
failed (res=-1) 

Nikita Kipriyanov avatar
za flag
Since the problem is with some particular domain, I swear we can't help until you tell us which one exactly, for us to see ourselves. Sorry. You may try e.g. dns looking glass out there to test if the domain is O.K. itself.
onee avatar
tm flag
Ok, I found. Now work. in recursor conf I added dnssec=off
Score:1
tm flag

Ok, I found the issue. Now it works fine. in recursor conf I added dnssec=off

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.