Delegating Subdomain finds Authority but no answers

Question

I'm having a bit of trouble with a delegated subdomain using powerdns. My setup is quite straight forward.

Example.com

2 powerdns servers. 1 Master, 1 Slave.

Zone Config 
example.com     SOA      ns1.example.com
example.com     NS       ns1.example.com
example.com     NS       ns2.example.com

ns1.example.com A        192.168.0.1
ns2.example.com A        192.168.0.2

sub.example.com NS       ns1.sub.example.com
sub.example.com NS       ns2.sub.example.com

ns1.sub.example.com A    192.168.10.1
ns2.sub.example.com A    192.168.10.2

Then my sub domain looks like:

2 more powerdns servers. 1 Master, 1 Slave.

sub.example.com SOA      ns1.sub.example.com
sub.example.com NS       ns1.sub.example.com
sub.example.com NS       ns2.sub.example.com

ns1.sub.example.com A    192.168.10.1
ns1.sub.example.com A    192.168.10.2

ubuntutest.sub.example.com A 192.168.10.10

When im on a host on that ubuntutest host on the subdomain i can resolve the NS fine, and as i have recursion set up on the sub domain, i can resolve addresses on example.com

When i am on a host on the example.com domain, i can resolve things on the example.com fine. However i am unable to resolve devices on the sub domain.

When i dig the sub domain i get the following output, showing the authority but no answers.

    olly@master:~$ dig sub.example.com. ns

; <<>> DiG 9.9.5-11ubuntu1.3-Ubuntu <<>> sub.example.com. ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60134
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2800
;; QUESTION SECTION:
;sub.example.com.       IN  NS

;; AUTHORITY SECTION:
sub.example.com.    86400   IN  NS  ns1.sub.example.com.
sub.example.com.    86400   IN  NS  ns2.sub.example.com.

;; ADDITIONAL SECTION:
ns1.sub.example.com.    86400   IN  A   192.168.10.1
ns2.sub.example.com.    86400   IN  A   192.168.10.2


;; Query time: 3 msec
;; SERVER: 10.3.16.4#53(10.3.16.4)
;; WHEN: Mon Mar 21 16:20:16 GMT 2016
;; MSG SIZE  rcvd: 147

Has anyone out there seen this before? If so what am i missing?

Thanks a lot :)

You should make a new post, not as 'guest' or whatever that means. In that post you put all information, not hiding domain names, and not putting a second copy in a comment. Then it might be possible to make sense of your question :) — Habbie, May 09 '16 at 07:17

score 1 · Answer 1 · answered Mar 21 '16 at 17:07

1

Your command:

$ dig sub.example.com. ns

Is only asking for nameserver (NS) records, so that's all you're getting back.

answered Mar 21 '16 at 17:07

Ward - Reinstate Monica

12,788
28
44
59

Sorry that a was a mistake on my part. However dig ubuntutest.sub.example.com gives me the same response. Calling out the authorities, but not giving me an answer. – olly Mar 21 '16 at 17:26

score 0 · Answer 2 · edited Oct 07 '21 at 06:58

The answer you're getting is a referral, and zero answers is normal for that.

A referral supplied by an authoritative server must meet the following criteria:

An unset aa (authoritative answer) bit
Zero answers
An authority section containing the nameservers authority is being delegated to
An additional section is only mandatory if glue records are necessary to follow the referral, which is the case here.

The authoritative version of the NS records is held by the server you are delegating authority to. It would be incorrect to provide an answer section in this context. RFC 2181 is very clear on this point:

... The NS records that indicate a zone cut are the property of the child zone created, as are any other records for the origin of that child zone, or any sub-domains of it. A server for a zone should not return authoritative answers for queries related to names in another zone, which includes the NS, and perhaps A, records at a zone cut, unless it also happens to be a server for the other zone.

As for why you're getting a referral, you have not provided enough information to determine that. Taking a guess, this seems to imply that 10.3.16.4 contains an authoritative copy of example.com. The referral is not helpful to stub resolvers (i.e. OS resolver libraries) pointing at 10.3.16.4; only a recursive server will chase the referral.

I suspect you've implemented a referral where a forwarder is needed. How to implement that on 10.3.16.4 (for which no OS or software has been provided) is outside the scope of this question.

score 0 · Answer 3 · answered Mar 21 '16 at 22:56

Thanks a lot Andrew B (Made the post as a guest so can't comment)

I have 2x powerdns authorities servers running on example.com (Master,Slave) with a MySQL backend replicating. Running on ubuntu 14.04.

pdn.conf for master (192.168.0.1)

allow-recursion=0.0.0.0/0
recursor=8.8.8.8
allow-axfr-ips=192.168.0.2/32
config-dir=/etc/powerdns
daemon=yes
disable-axfr=no
guardian=yes
local-address=0.0.0.0
local-port=53
log-dns-details=on
log-failed-updates=on
loglevel=3
module-dir=/usr/lib/powerdns
master=yes
slave=no
setgid=pdns
setuid=pdns
socket-dir=/var/run
version-string=powerdns
include-dir=/etc/powerdns/pdns.d

For sub.example.com, I running this domain on a private cloud. It has its 2 powerdns nameservers too with a mysql backend. Running on debian jessie.

pdns.conf for Master (192.168.10.1)

# General Config
allow-recursion=0.0.0.0/0
recursor=192.168.0.1
setgid=pdns
setuid=pdns
config-dir=/etc/powerdns
socket-dir=/var/run
guardian=yes
daemon=yes
disable-axfr=no
local-address=0.0.0.0
local-port=53
master=no
slave=yes
cache-ttl=0
query-cache-ttl=0
negquery-cache-ttl=0
out-of-zone-additional-processing=no
do-ipv6-additional-processing=no

My thinking was that a user in the private cloud using recursors can get out through the example.com domain. And uses on the example.com domain can access services running on the private cloud using the sub.example.com.

Delegating Subdomain finds Authority but no answers

3 Answers3