He estado en el proceso de configurar un servidor PDNS recursivo y autoritativo para una red interna. El servidor recursivo se ejecuta en el puerto 53 y el autoritativo se ejecuta en el 5300. Las solicitudes se reenvían mediante lo siguiente:
forward-zones=example.com=127.0.0.1:5300, 30.168.192.in addr.arpa=127.0.0.1:5300
forward-zones-recurse=.=8.8.8.8
Tengo un subdominio específico para directorio activo que he delegado al sistema AD DNS
v-dc-1.ad.example.com A 192.168.30.15
Cuando realizo una consulta de excavación a cualquier cosa en el subdominio, el recursor habla correctamente con el servidor de nombres de AD. Sin embargo, cada vez que intento buscar la IP de NS, aparece "servfail". He rastreado la consulta, como se muestra a continuación:
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Wants DNSSEC processing, auth data in query for A
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Looking for CNAME cache hit of 'v-dc-1.ad.example.com|CNAME'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: No CNAME cache hit of 'v-dc-1.ad.example.com|CNAME' found
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: No cache hit for 'v-dc-1.ad.example.com|A', trying to find an appropriate NS record
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got TA for '.'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : setting cut state for . to Secure
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: initial validation status for v-dc-1.ad.example.com is Indeterminate
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Cache consultations done, have 1 NS to contact
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Domain has hardcoded nameserver
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Resolved 'example.com' NS (empty) to: 127.0.0.1
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Trying IP 127.0.0.1:5300, asking 'v-dc-1.ad.example.com|A'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Got 3 answers from (empty) (127.0.0.1), rcode=0 (No Error), aa=0, in 2ms
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: accept answer 'ad.example.com|NS|v-dc-1.ad.example.com.' from 'example.com' nameservers? ttl=3600, place=2 YES! - This answer was received from a server we forward to.
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: accept answer 'v-dc-1.ad.example.com|A|192.168.30.15' from 'example.com' nameservers? ttl=3600, place=3 YES! - This answer was received from a server we forward to.
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: OPT answer '.' from 'example.com' nameservers
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got initial zone status Indeterminate for record ad.example.com
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got initial zone status Indeterminate for record v-dc-1.ad.example.com
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: determining status after receiving this packet
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: got NS record 'ad.example.com' -> 'v-dc-1.ad.example.com.'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: status=did not resolve, got 1 NS, looping to them
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com.: Nameservers: v-dc-1.ad.example.com.(0.00ms)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Using NS to resolve itself, but only using what we have in cache (1/1)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Trying to resolve NS 'v-dc-1.ad.example.com' (1/1)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Wants DNSSEC processing, NO auth data in query for A
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Recursion not requested for 'v-dc-1.ad.example.com|A', peeking at auth/forward zones
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: forwarding query to hardcoded nameserver '127.0.0.1:5300' for zone 'example.com'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Failed to get IP for NS v-dc-1.ad.example.com, trying next if avaicomle
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Failed to resolve via any of the 1 offered NS at level 'ad.example.com'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Ageing nameservers for level 'ad.example.com', next query might succeed
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: failed (res=-1)
¿Alguien puede indicarme la dirección correcta con esto?
Respuesta1
Estaba teniendo exactamente el mismo problema y lo único que funcionó para mí fue usar un nombre de host dedicado para los registros de pegamento que no se usa para nada más que la delegación.
Así, por ejemplo, en lugar de
subdomain.example.com. IN NS dc.subdomain.example.com.
dc.subdomain.example.com. IN A 192.0.2.10
use un nombre de host alternativo, pero apunte a la misma dirección IP que el DC:
subdomain.example.com. IN NS ns.subdomain.example.com.
ns.subdomain.example.com. IN A 192.0.2.10