Re: [Pdns-users] pdns recursor forward zone to consul

Prochazka via Pdns-users Tue, 06 Aug 2024 02:22:04 -0700

No effect (anyway, default is yes), i even triedqname-max-minimize-count=1, no success.


Recursor is 5.0.5 btw.


Thanks

Dne 2024-08-06 11:06, Frank @ kiwazo.be napsal:

Could you try disabling qname-minimisation?
https://doc.powerdns.com/recursor/settings.html#qname-minimization

If that works, could you file a bug with the Consul folks?

Frank

On 6 Aug 2024, at 10:56, procha...@cortex.cz wrote:

Consul cluster is authoritative:

# dig soa consul @localhost -p 8600
; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> soa consul @localhost -p
8600
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1715
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3,
ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;consul. IN SOA

;; ANSWER SECTION:
consul. 0 IN SOA ns.consul. hostmaster.consul. 1722932854 3600 600
86400 0

;; AUTHORITY SECTION:
consul. 0 IN NS test-consul-02.service.dc1.consul.
consul. 0 IN NS test-consul-01.service.dc1.consul.
consul. 0 IN NS test-consul-03.service.dc1.consul.

;; ADDITIONAL SECTION:
test-consul-02.service.dc1.consul. 0 IN A 192.168.200.206
test-consul-01.service.dc1.consul. 0 IN A 192.168.200.205
test-consul-03.service.dc1.consul. 0 IN A 192.168.200.207

Dnsmasq is default Debian12 configuration, only custom snippet:
server=/consul/192.168.200.205#8600

Pdns recursor default Debian12 configuration, custom snippet:
# cat /etc/powerdns/recursor.d/recursor-local.conf

allow-from=127.0.0.1,192.168.0.0/16,SUBNET1/22,SUBNET2/27,::1/128,SUBNET3/29,SUBNET4/24

local-address=::1,IPv6,127.0.0.1,IPv4
local-port=53
max-negative-ttl=300
query-local-address=0.0.0.0,::
serve-rfc1918=no

forward-zones=
forward-zones+=sub1.domain.tld=IPs pdns auth
forward-zones+=sub2.domain.tld=IPs pdns auth
forward-zones+=168.192.in-addr.arpa=IPs pdns auth
forward-zones+=a.b.c.d.ip6.arpa=IPs pdns auth
forward-zones+=sub3.domain.tld=IPs pdns auth
forward-zones+=consul=192.168.200.205:8600

When i change forward zone to the only consul as dnsmasq:
10:31:32.584238 IP 192.168.200.201.49345 > 192.168.200.55: 47787+
[1au] A? master.testcluster.service.consul. (74)
10:31:32.736315 IP 192.168.200.55.domain > 192.168.200.201.49345:
47787 ServFail 0/0/1 (62)

10:31:32.584694 IP 192.168.200.55.30152 > 192.168.200.205.8600:
59346 [1au] A? service.consul. (43)
10:31:32.586480 IP 192.168.200.205.8600 > 192.168.200.55.30152:
59346 NXDomain* 0/1/1 (93)
10:31:32.603241 IP 192.168.200.55.29051 > 192.168.200.205.8600:
13078 [1au] A? master.testcluster.service.consul. (62)
10:31:32.606545 IP 192.168.200.205.8600 > 192.168.200.55.29051:
13078* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
192.168.200.202 (122)
10:31:32.613117 IP 192.168.200.55.49421 > 192.168.200.205.8600:
50188 [1au] DS? testcluster.service.consul. (55)
10:31:32.615703 IP 192.168.200.205.8600 > 192.168.200.55.49421:
50188* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
192.168.200.202 (115)
10:31:32.633388 IP 192.168.200.55.49375 > 192.168.200.205.8600:
19606 [1au] DS? testcluster.service.consul. (55)
10:31:32.635325 IP 192.168.200.205.8600 > 192.168.200.55.49375:
19606* 2/0/1 CNAME test-patroni-01.sub1.domain.tld., A
192.168.200.201 (115)
10:31:32.641387 IP 192.168.200.55.56897 > 192.168.200.205.8600:
28586 [1au] DS? testcluster.service.consul. (55)
10:31:32.643305 IP 192.168.200.205.8600 > 192.168.200.55.56897:
28586* 2/0/1 CNAME test-patroni-01.sub1.domain.tld., A
192.168.200.201 (115)
10:31:32.656262 IP 192.168.200.55.18550 > 192.168.200.205.8600:
25986 [1au] DS? testcluster.service.consul. (55)
10:31:32.658261 IP 192.168.200.205.8600 > 192.168.200.55.18550:
25986* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
192.168.200.202 (115)
10:31:32.667227 IP 192.168.200.55.8608 > 192.168.200.205.8600: 16502
[1au] DS? testcluster.service.consul. (55)
10:31:32.669022 IP 192.168.200.205.8600 > 192.168.200.55.8608:
16502* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
192.168.200.202 (115)
10:31:32.686261 IP 192.168.200.55.30571 > 192.168.200.205.8600:
52874 [1au] DS? testcluster.service.consul. (55)
10:31:32.688356 IP 192.168.200.205.8600 > 192.168.200.55.30571:
52874* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
192.168.200.202 (115)
10:31:32.712947 IP 192.168.200.55.2258 > 192.168.200.205.8600: 303
[1au] DS? testcluster.service.consul. (55)
10:31:32.715829 IP 192.168.200.205.8600 > 192.168.200.55.2258: 303*
2/0/1 CNAME test-patroni-02.sub1.domain.tld., A 192.168.200.202
(115)
10:31:32.726324 IP 192.168.200.55.13556 > 192.168.200.205.8600: 3022
[1au] DS? testcluster.service.consul. (55)
10:31:32.728700 IP 192.168.200.205.8600 > 192.168.200.55.13556:
3022* 2/0/1 CNAME test-patroni-01.sub1.domain.tld., A
192.168.200.201 (115)

Consul is set for domain "consul".
Patroni is set for namespace "service".
Patroni is set for scope "testcluster".

Thats why I can't set forward zone for testdomain.service.consul,
because every patroni cluster (or every cluster service) has it own
scope value. Anyway, i set
forward-zone+=testdomain.service.consul=..., got NXDOMAIN result
this time.

Dnsmasq/dig does only one query (tcpdump from consul server):
10:54:04.293482 IP 192.168.200.201.35239 > 192.168.200.205.8600:
40715+ [1au] A? master.testcluster.service.consul. (74)
10:54:04.297128 IP 192.168.200.205.8600 > 192.168.200.201.35239:
40715* 2/0/1 CNAME test-patroni-02.sub1.domain.tld., A
192.168.200.202 (122)

BUT pdns doing multiple queries. That's main difference.

Thanks.

Dne 2024-08-06 10:06, Frank @ kiwazo.be napsal:
dnsmasq: forwarded master.testcluster.service.consul to
192.168.200.205#8600
dnsmasq: reply master.testcluster.service.consul is <CNAME>
dnsmasq: reply test-patroni-02.sub.domain.tld is 192.168.200.202
...
Failing query via pdns-recursor, pdns to consul:
09:00:28.996364 IP 192.168.200.55.50085 > 192.168.200.205.8600:
36627+% [1au] A? master.testcluster.service.consul. (62)
09:00:29.007576 IP 192.168.200.205.8600 > 192.168.200.55.50085:
36627* 2/0/1 CNAME test-patroni-02.intr.cortex.cz., A
192.168.200.202 (122)
09:00:29.021812 IP 192.168.200.55.33770 > 192.168.200.206.8600:
35806+% [1au] DS? service.consul. (43)
09:00:29.023654 IP 192.168.200.206.8600 > 192.168.200.55.33770:
35806 NXDomain* 0/1/1 (93)
...
192.168.200.206 is telling pdns there is no "service.consul"
configured there. So either 206 is wrong, or 206 is not
Authoritative
for the service.consul domain, or 206 is misconfigured.
To rule out #2, could you set the forward-zones config to JUST the
domain 205/206/207 are responsible for? (could be it only answers to
testcluster.service.consul)?
Also, you have given us 0.005% of your config, yet you ask us to
figure out what's wrong? Please see

https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open

Frank


_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns recursor forward zone to consul

Reply via email to