<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 07/02/2018 12:08 PM, Walter Parker
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMPTd_D0Tt=geJBrsB=uAgh95pBejuK98+JcFfhtu+8SbCLLoQ@mail.gmail.com">
<div dir="ltr">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Jul 2, 2018 at 8:21 AM,
Steven Spencer <span dir="ltr"><<a
href="mailto:steven.spencer@kdsi.com" target="_blank"
moz-do-not-send="true">steven.spencer@kdsi.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Greetings,</p>
<p>We have been using PowerDNS for a very long time.
I've converted from several older versions to new ones
and separated our recursor from our authoritative
server about 6 years ago. We are also a small IT shop,
so sometimes things get behind, which is where we are
at the moment with PDNS. <br>
</p>
<p>What I'm trying to get my mind around is the changes
to how the recursive server communicates with the
authoritative server. In an attempt to take our new
servers live last night, our authoritative server
would answer for domains that we are authoritative
for, but would not answer for anything that required
the recursor. The recursor, however, answered just
fine for everything, but showed everything as a
Non-authoritative answer, even for things that we are
authoritative for. In reading the documents, I came
across the <b>"Migrating from using recursion on the
Authoritative Server to using a Recursor" </b>(<a
class="m_5777733332534578292moz-txt-link-freetext"
href="https://doc.powerdns.com/authoritative/guides/recursion.html"
target="_blank" moz-do-not-send="true">https://doc.powerdns.com/<wbr>authoritative/guides/<wbr>recursion.html</a>)
article which I initially discounted, as we have,
again, been running separate recursor's and
authoritative servers for quite a few years. The
removal of the ability to specify the recursor within
the pdns.conf, seems to have changed the entire
dynamic of the request/reply framework. (we used the
recursor= to specify the recursor's address which
resided on its own hardware). Up to this point, our
authoritative server has had the publicly advertised
DNS address, but if I'm reading this article
correctly, it /looks/ like we need to switch the
recursor to run as the IP of what we have published as
our DNS address. So, my questions are:</p>
<p>* Is this the case, do I need to change my IP scheme
so that the recursor(s) for our domain actually have
the IP address of the published DNS servers?</p>
</div>
</blockquote>
<div>At the DNS register, add the host name of the
authoritative server (which should be pointed at a
separate IP address from the recursive server). The
recursor IP address is not published as a name server. The
recusor is added to /etc/resolv.conf and to the DHCP
server as the local DNS server. <br>
</div>
</div>
</div>
</div>
</blockquote>
That server is already there and published and the recursor is
already separate as indicated <br>
<blockquote type="cite"
cite="mid:CAMPTd_D0Tt=geJBrsB=uAgh95pBejuK98+JcFfhtu+8SbCLLoQ@mail.gmail.com">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>* If so, is it OK that answers will show up on the
recursor as non-authoritative even if we are indeed
authoritative for the domain?</p>
</div>
</blockquote>
<div>Recursors are never authoritative in a split model.
Only the authoritative server is (hence the name). The
recusror looks up the DNS information at the authoritative
(just like everyone else). You override the recursor to
pull DNS directly from your
<span
style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">authoritative<span> server,
but hat is not required.</span></span></div>
</div>
</div>
</div>
</blockquote>
Which is what I assumed when I took this live last night and then
backed it out. <br>
<blockquote type="cite"
cite="mid:CAMPTd_D0Tt=geJBrsB=uAgh95pBejuK98+JcFfhtu+8SbCLLoQ@mail.gmail.com">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>* finally, does this adversely affect the way that
the root DNS servers communicate with our zone?</p>
</div>
</blockquote>
<div>Root server don't communicate to you, they respond to
DNS requests as <span
style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">authoritative<span> </span></span>severs,
just like any other <span
style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">authoritative<span> server.</span></span></div>
<div><span
style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span><br>
</span></span></div>
</div>
</div>
</div>
</blockquote>
OK, so this is again what I assumed last night when I attempted to
take this live. <br>
<br>
Walter, I appreciate your response. What I'm hearing is that the IP
of the authoritative server as already registered, should be correct
with no need to change it. The recursors would be used as local dns
servers (i.e., in your example /etc/resolv.conf), which if you are
using your own DNS currently on devices in your organization, would
mean a fork-lift upgrade to use the recursors instead. I'm also
hearing that querying your authoritative DNS for something that it
is not authoritative for, should in fact return refused. <br>
<br>
As long as the recursor does return the correct information (as ours
did) can we assume that things are working? Is there a good way to
make sure that the authoritative server is properly configured
before an actual go-live? (testing methodology)<br>
<br>
Thanks again for your response.<br>
<blockquote type="cite"
cite="mid:CAMPTd_D0Tt=geJBrsB=uAgh95pBejuK98+JcFfhtu+8SbCLLoQ@mail.gmail.com">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Thanks in advance,</p>
<span class="HOEnZb"><font color="#888888">
<pre class="m_5777733332534578292moz-signature" cols="72">--
--
Steven G. Spencer, Network Administrator
KSC Corporate - The Kelly Supply Family of Companies
Office 308-382-8764 Ext. 1131
Mobile 402-765-8010
</pre>
</font></span></div>
<br>
______________________________<wbr>_________________<br>
Pdns-users mailing list<br>
<a href="mailto:Pdns-users@mailman.powerdns.com"
moz-do-not-send="true">Pdns-users@mailman.powerdns.<wbr>com</a><br>
<a
href="https://mailman.powerdns.com/mailman/listinfo/pdns-users"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://mailman.powerdns.com/<wbr>mailman/listinfo/pdns-users</a><br>
<br>
</blockquote>
</div>
<br>
Walter<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature"><span
style="font-family:arial,sans-serif;font-size:13px;border-collapse:collapse;color:rgb(136,136,136)">The
greatest dangers to liberty lurk in insidious encroachment
by men of zeal, well-meaning but without understanding.
-- Justice Louis D. Brandeis</span></div>
</div>
</div>
</blockquote>
<p><br>
</p>
<pre class="moz-signature" cols="72">--
--
Steven G. Spencer, Network Administrator
KSC Corporate - The Kelly Supply Family of Companies
Office 308-382-8764 Ext. 1131
Mobile 402-765-8010
</pre>
</body>
</html>