From 7b290a7d79ea5f4bf1ffd52f8b82084b6dfcdd3b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jonas=20Sch=C3=A4fer?= Date: Wed, 28 Aug 2024 14:04:53 +0200 Subject: [PATCH] Mention effect of dont_query on forward_zones --- pdns/recursordist/settings/table.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pdns/recursordist/settings/table.py b/pdns/recursordist/settings/table.py index 5c8fe6eed9..561c683ca3 100644 --- a/pdns/recursordist/settings/table.py +++ b/pdns/recursordist/settings/table.py @@ -701,7 +701,7 @@ This can have odd effects, depending on your network, and may even be a security Therefore, the PowerDNS Recursor by default does not query private space IP addresses. This setting can be used to expand or reduce the limitations. -Queries for names in forward zones and to addresses as configured in any of the settings :ref:`setting-forward-zones`, :ref:`setting-forward-zones-file` or :ref:`setting-forward-zones-recurse` are performed regardless of these limitations. +Queries for names in forward zones and to addresses as configured in any of the settings :ref:`setting-forward-zones`, :ref:`setting-forward-zones-file` or :ref:`setting-forward-zones-recurse` are performed regardless of these limitations. However, if NS records are learned from :ref:`setting-forward-zones` and the IP addresses of the nameservers learned in that way are included in :ref:`setting-dont-query`, lookups relying on these nameservers will fail with SERVFAIL. ''', }, { @@ -1034,6 +1034,9 @@ Forwarded queries have the ``recursion desired (RD)`` bit set to ``0``, meaning If an ``NS`` record set for a subzone of the forwarded zone is learned, that record set will be used to determine addresses for name servers of the subzone. This allows e.g. a forward to a local authoritative server holding a copy of the root zone, delegations received from that server will work. +**Note**: When an ``NS`` record for a subzone is learned and the IP address for that nameserver is included in the IP ranges in :ref:`setting-dont-query`, +SERVFAIL is returned. + **IMPORTANT**: When using DNSSEC validation (which is default), forwards to non-delegated (e.g. internal) zones that have a DNSSEC signed parent zone will validate as Bogus. To prevent this, add a Negative Trust Anchor (NTA) for this zone in the :ref:`setting-lua-config-file` with ``addNTA('your.zone', 'A comment')``. If this forwarded zone is signed, instead of adding NTA, add the DS record to the :ref:`setting-lua-config-file`. @@ -1073,6 +1076,9 @@ Forwarded queries have the ``recursion desired (RD)`` bit set to ``0``, meaning If an ``NS`` record set for a subzone of the forwarded zone is learned, that record set will be used to determine addresses for name servers of the subzone. This allows e.g. a forward to a local authoritative server holding a copy of the root zone, delegations received from that server will work. +**Note**: When an ``NS`` record for a subzone is learned and the IP address for that nameserver is included in the IP ranges in :ref:`setting-dont-query`, +SERVFAIL is returned. + **IMPORTANT**: When using DNSSEC validation (which is default), forwards to non-delegated (e.g. internal) zones that have a DNSSEC signed parent zone will validate as Bogus. To prevent this, add a Negative Trust Anchor (NTA) for this zone in the :ref:`setting-lua-config-file` with ``addNTA('your.zone', 'A comment')``. If this forwarded zone is signed, instead of adding NTA, add the DS record to the :ref:`setting-lua-config-file`. -- 2.47.2