So I've been in the process of setting up a PDNS Recursive and Authoritative server for an internal network. The recursive server runs on port 53 and the authoritative runs on 5300. Requests are forwarded using the below:
forward-zones=example.com=127.0.0.1:5300, 30.168.192.in addr.arpa=127.0.0.1:5300
forward-zones-recurse=.=8.8.8.8
I have a subdomain specifically for active directory that I have delegated to the AD DNS system
v-dc-1.ad.example.com A 192.168.30.15
When I perform a dig query to anything in the subdomain, the recursor correctly talks to the AD nameserver. However whenever I try to lookup the NS IP, I am returned 'servfail.' I have traced the query, as below:
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Wants DNSSEC processing, auth data in query for A
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Looking for CNAME cache hit of 'v-dc-1.ad.example.com|CNAME'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: No CNAME cache hit of 'v-dc-1.ad.example.com|CNAME' found
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: No cache hit for 'v-dc-1.ad.example.com|A', trying to find an appropriate NS record
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got TA for '.'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : setting cut state for . to Secure
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: initial validation status for v-dc-1.ad.example.com is Indeterminate
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Cache consultations done, have 1 NS to contact
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Domain has hardcoded nameserver
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Resolved 'example.com' NS (empty) to: 127.0.0.1
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Trying IP 127.0.0.1:5300, asking 'v-dc-1.ad.example.com|A'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Got 3 answers from (empty) (127.0.0.1), rcode=0 (No Error), aa=0, in 2ms
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: accept answer 'ad.example.com|NS|v-dc-1.ad.example.com.' from 'example.com' nameservers? ttl=3600, place=2 YES! - This answer was received from a server we forward to.
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: accept answer 'v-dc-1.ad.example.com|A|192.168.30.15' from 'example.com' nameservers? ttl=3600, place=3 YES! - This answer was received from a server we forward to.
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: OPT answer '.' from 'example.com' nameservers
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got initial zone status Indeterminate for record ad.example.com
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got initial zone status Indeterminate for record v-dc-1.ad.example.com
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: determining status after receiving this packet
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: got NS record 'ad.example.com' -> 'v-dc-1.ad.example.com.'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: status=did not resolve, got 1 NS, looping to them
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com.: Nameservers: v-dc-1.ad.example.com.(0.00ms)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Using NS to resolve itself, but only using what we have in cache (1/1)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Trying to resolve NS 'v-dc-1.ad.example.com' (1/1)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Wants DNSSEC processing, NO auth data in query for A
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Recursion not requested for 'v-dc-1.ad.example.com|A', peeking at auth/forward zones
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: forwarding query to hardcoded nameserver '127.0.0.1:5300' for zone 'example.com'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Failed to get IP for NS v-dc-1.ad.example.com, trying next if avaicomle
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Failed to resolve via any of the 1 offered NS at level 'ad.example.com'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Ageing nameservers for level 'ad.example.com', next query might succeed
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: failed (res=-1)
Can anyone point me in the right direction with this?
I was having the exact same issue and the only thing that worked for me was using a dedicated host name for the glue records that is not used for anything else but the delegation.
So for example, instead of
use an alternative host name, but point to the same IP address as the DC: