<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi,<div class=""><br class=""></div><div class="">I am using up to now pdns-4.0.x and pdns-recursor-4.0.x as a simple replace for bind installations at customers sites.</div><div class=""><br class=""></div><div class="">The setup I am using is to keep master/slave replication as I need to replicate zones from other master servers (linux or windows) and the DHCP server is doing dynamic DNS updates to the master direct and reverse zones (<span style="font-family: Monaco; font-size: 10px; background-color: rgb(255, 255, 255);" class="">RFC 2136).</span></div><div class=""><br class=""></div><div class="">So mainly I configure the following :</div><div class=""><br class=""></div><div class="">- pdns is listening on port 53</div><div class="">- pdns-recursor is listening on port 5301</div><div class="">- pdns configured to forward recursive queries to the recursor on port 5301</div><div class="">- dhcp server (isc dhcp) configured to do RFC2136 dns updates</div><div class=""><br class=""></div><div class="">I just tried out the new version 4.1 and see that there is a major architecture change : the pdns server is not able to forward recursive queries to the recursor.</div><div class=""><br class=""></div><div class="">So the proposed solutions :</div><div class=""><br class=""></div><div class="">Scenario 1 : the recursor is on port 53 and forward queries from known zones to the authoritative pdns on port 5300</div><div class=""><br class=""></div><div class="">Scenario 2 : the dnsdist is on port 53, forward queries from known zones to the authoritative pdns on port 5300, and forward recursive queries to the recursor on port 5301</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">I see several problems with theses setups :</div><div class=""><br class=""></div><div class="">Scenario 1 : </div><div class=""><br class=""></div><div class="">- you cannot have master/slave replications because recursor do not forward AXFR/IXFR/NOTIFY to the authoritative server</div><div class="">- you cannot have RFC 2136 dns updates as recursor do not forward UPDATE to the authoritative server</div><div class="">- you cannot keep using ISC DHCP server because you cannot specify an other port than 53 for the destination of UPDATE (it is possible with the new KEA server, supposed to replace ISC DHCP)</div><div class="">- you must edit the recursor settings each time you add a new zone to the authoritative server</div><div class="">- this breaks the supermasters architecture as there is no NOTIFY forwarding, and even if there was, the recursor need to be edited to forward the new zones</div><div class=""><br class=""></div><div class="">Scenario 2 :</div><div class=""><br class=""></div><div class="">- AXFR/IXFR/NOTIFY are forwarded by the authoritative server, but the presented address is the one of the dnsdist server and not of the original master</div><div class="">- RFC 2136 UPDATE are forwarded, using the dnsdist server address</div><div class="">- you must edit the recursor settings each time you add a new zone to the authoritative server</div><div class="">- you must edit the dnsdist settings each time you add a new zone to the authoritative server</div><div class="">- you must edit the dnsdist settings each time you change the NS entries on an authoritative zone (for example by adding a slave server)</div><div class=""><div class="">- this breaks the supermasters architecture because the dnsdist and recursor settings must be manually updated to forward the new zones </div></div><div class=""><br class=""></div><div class="">I have tried the various solutions, even changing with some success the ISC DHCP server with the new kea server, but I am now convinced that I cannot have master/slave/supermaster/update functionnalities on 4.1 version without a major change on the customer server and PC setup.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">I well understand theses architecture change were done to improve performance on big setups (ISP or large companies), and that also you may separate each processes using separate IP addresses and having them all using the default port 53, but this will also makes pdns not a good replacement for most of our customers that have more simple needs.</div><div class=""><br class=""></div><div class="">So for the moment I will keep the 4.0 version, but I hope the 4.1.x and later versions will get back the possibility to have the authoritative server forwarding to the recursor.</div><div class=""><br class=""></div><div class="">Regards,</div><div class=""><br class=""></div><div class="">Alain RICHARD</div><div class=""><br class=""></div></body></html>