To follow up and provide the answer for those who seek it in future, for reasons I still can't entirely find the source for (you might have to dust off your RFCs), the advice is don't run an authoritative name server, and a resolver, on the same port.<div>
<br></div><div>You can do something like this:</div><div><br></div><div>pdns-recursor on port 53</div><div>pdns-server on port 530 (the advice I was given was to run this on a different IP as well as a different port, for "hygeine" reasons)</div>
<div><br></div><div>On the recursor, use the 'forward-zone' directive:</div><div><br></div><div><div> forward-zones=example.local=<a href="http://127.0.0.1:530">127.0.0.1:530</a></div></div><div><br></div><div>(I also received a lot of advice not to use .local. I inherited this, and can't easily change the domain without changing a lot of legacy applications, but I agree completely. I'm a fan of .tla and cried a little when they introduced .info as it was four characters long. Don't get me started on .museum!)</div>
<div><br></div><div>pdns-recursor can actually serve simple zones itself with the 'auth-zone' directive, but doesn't support a SQL backend.</div><div><br></div><div>Also, if you're running on EC2, you need to resolve <a href="http://amazonaws.com">amazonaws.com</a> with the EC2 virtual name server IP, 172.16.0.23. Instead of forwarding all other requests to this IP, I am just forwarding that one zone, which requires recursion:</div>
<div><br></div><div><div> forward-zones-recurse=<a href="http://amazonaws.com">amazonaws.com</a>=172.16.0.23</div></div><div><br></div><div>This requires pdns-recursor 3.2 or higher.</div><meta charset="utf-8"><div><br>
</div><div>Hope this helps someone!</div><div><br></div><div>Regards</div><div>Craig<br><div> <br><div class="gmail_quote">On Mon, Jul 12, 2010 at 3:14 PM, Craig Box <span dir="ltr"><<a href="mailto:craig.box@gmail.com">craig.box@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hi,<div><br></div><div>I realise this issue has been covered on the list, but (a) a couple of years ago, and (b) with slightly different symptoms.</div>
<div><br></div><div>On Amazon EC2, I have a PowerDNS server [1] set up for an example.local domain. I also have recursion enabled and set to the EC2 "virtual nameserver", 172.16.0.23. For simplicity's sake, this all runs on the same port.</div>
<div><br></div><div>Everything works as expected - example.local names resolve from the gmysql backend, and other names are passed on to Amazon for resolution. (You need to use the EC2 name server to resolve <span style="font-family:sans-serif;font-size:13px;line-height:19px">.<a href="http://amazonaws.com" target="_blank">amazonaws.com</a> addresses to their RFC1918 addresses - if you resolve externally, you get the public IP which NATs to your machine.)</span></div>
<div><span style="font-family:sans-serif;font-size:13px;line-height:19px"><br></span></div><div><span style="font-family:sans-serif;font-size:13px;line-height:19px">Anyway, </span>I have added a machine <span style="font-family:sans-serif;font-size:13px;line-height:19px"><a href="http://database.xyzzy.eu-west-1.rds.amazonaws.com" target="_blank">database.xyzzy.eu-west-1.rds.amazonaws.com</a>, which is a multi-AZ deployment (60 second TTL for failover to a second server if the first is unreachable). I have set up a record for data.example.local which is a cname to this address, but querying it gives me an NXDOMAIN (/not/ a SERVFAIL).</span></div>
<div><span style="font-family:sans-serif;font-size:13px;line-height:19px"><br></span></div><div><span style="font-family:sans-serif;font-size:13px;line-height:19px">I have seen mention that you need to have a '.' suffix for records pointing to external names, but this doesn't seem to make a difference.</span></div>
<div><font face="sans-serif"><span style="line-height:19px"><br></span></font></div><div><font face="sans-serif"><span style="line-height:19px">Can what I want to do here, be done? From what I can piece together, all I should have had to do is enable recursion (which was enabled anyway).</span></font></div>
<div><font face="sans-serif"><span style="line-height:19px"><br></span></font></div><div><font face="sans-serif"><span style="line-height:19px">Regards</span></font></div>
<div><font face="sans-serif"><span style="line-height:19px">Craig</span></font></div><div><font face="sans-serif"><span style="line-height:19px"><br>
</span></font></div><div>[1] Version 2.9.22-3 from Ubuntu 10.04.</div>
</blockquote></div><br></div></div>