PowerDNS - Glue record returns servfail

Question

So I've been in the process of setting up a PDNS Recursive and Authoritative server for an internal network. The recursive server runs on port 53 and the authoritative runs on 5300. Requests are forwarded using the below:

forward-zones=example.com=127.0.0.1:5300, 30.168.192.in addr.arpa=127.0.0.1:5300  
forward-zones-recurse=.=8.8.8.8 

I have a subdomain specifically for active directory that I have delegated to the AD DNS system

v-dc-1.ad.example.com A 192.168.30.15

When I perform a dig query to anything in the subdomain, the recursor correctly talks to the AD nameserver. However whenever I try to lookup the NS IP, I am returned 'servfail.' I have traced the query, as below:

Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Wants DNSSEC processing, auth data in query for A
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Looking for CNAME cache hit of 'v-dc-1.ad.example.com|CNAME'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: No CNAME cache hit of 'v-dc-1.ad.example.com|CNAME' found
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: No cache hit for 'v-dc-1.ad.example.com|A', trying to find an appropriate NS record
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got TA for '.'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : setting cut state for . to Secure
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: initial validation status for v-dc-1.ad.example.com is Indeterminate
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Cache consultations done, have 1 NS to contact
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Domain has hardcoded nameserver
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Resolved 'example.com' NS (empty) to: 127.0.0.1
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Trying IP 127.0.0.1:5300, asking 'v-dc-1.ad.example.com|A'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Got 3 answers from (empty) (127.0.0.1), rcode=0 (No Error), aa=0, in 2ms
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: accept answer 'ad.example.com|NS|v-dc-1.ad.example.com.' from 'example.com' nameservers? ttl=3600, place=2 YES! - This answer was received from a server we forward to.
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: accept answer 'v-dc-1.ad.example.com|A|192.168.30.15' from 'example.com' nameservers? ttl=3600, place=3 YES! - This answer was received from a server we forward to.
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: OPT answer '.' from 'example.com' nameservers
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got initial zone status Indeterminate for record ad.example.com
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got initial zone status Indeterminate for record v-dc-1.ad.example.com
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: determining status after receiving this packet
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: got NS record 'ad.example.com' -> 'v-dc-1.ad.example.com.'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: status=did not resolve, got 1 NS, looping to them
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com.: Nameservers: v-dc-1.ad.example.com.(0.00ms)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Using NS to resolve itself, but only using what we have in cache (1/1)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Trying to resolve NS 'v-dc-1.ad.example.com' (1/1)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343]    v-dc-1.ad.example.com: Wants DNSSEC processing, NO auth data in query for A
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343]    v-dc-1.ad.example.com: Recursion not requested for 'v-dc-1.ad.example.com|A', peeking at auth/forward zones
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343]    v-dc-1.ad.example.com: forwarding query to hardcoded nameserver '127.0.0.1:5300' for zone 'example.com'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Failed to get IP for NS v-dc-1.ad.example.com, trying next if avaicomle
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Failed to resolve via any of the 1 offered NS at level 'ad.example.com'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Ageing nameservers for level 'ad.example.com', next query might succeed
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: failed (res=-1)

Can anyone point me in the right direction with this?

Answer 1

I was having the exact same issue and the only thing that worked for me was using a dedicated host name for the glue records that is not used for anything else but the delegation.

So for example, instead of

subdomain.example.com.     IN NS dc.subdomain.example.com.
dc.subdomain.example.com.  IN A 192.0.2.10

use an alternative host name, but point to the same IP address as the DC:

subdomain.example.com.     IN NS ns.subdomain.example.com.
ns.subdomain.example.com.  IN A 192.0.2.10