<div dir="ltr">Gentlemen,<br><br>I greatly appreciate you all taking the time to respond in such depth.<br><br>So first upgrade the version of pdns, then I will separately address the other issues you all raise.<br><br>Thanks for the heads up. It is not that I was knowingly "implementing something which is approaching end-of-life". All 3 of my name servers are running on the latest updated long-term release version of Ubuntu (Ubuntu 20.04.2 LTS). I thought the best practice to ensure current software on Ubuntu was to use apt, first to update and then to install:<br><br><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">sudo apt update<br></font><font face="monospace">sudo apt install pdns-server pdns-backend-mysql -y</font></blockquote><br>... and from there configure the installation:<br><br><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">mysql -u pdnsadmin -p pdns < /usr/share/pdns-backend-mysql/schema/schema.mysql.sql<br></font><font face="monospace">vi /etc/powerdns/pdns.d/pdns.local.gmysql.conf<br></font><font face="monospace">etc</font></blockquote><br>I did not realize that doing this just over the last few days would install a version of pdns slated for EOL ~ April 2021! (given that it's May already - <a href="https://doc.powerdns.com/authoritative/appendices/EOL.html">https://doc.powerdns.com/authoritative/appendices/EOL.html</a>)<br><br>I understand from your referenced documentation (<a href="https://repo.powerdns.com/">https://repo.powerdns.com/</a>), that the preferred installation method for "PowerDNS Authoritative Server - master branch" on Ubuntu 20.04 "Focal Fossa" is to:<br><br><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">Create the file '/etc/apt/sources.list.d/pdns.list' with this content:</font><font face="monospace"><br></font></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">deb [arch=amd64] <a href="http://repo.powerdns.com/ubuntu">http://repo.powerdns.com/ubuntu</a> bionic-auth-master main<br><br></font></blockquote></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">And this to '/etc/apt/preferences.d/pdns':</font><font face="monospace"><br></font></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">Package: pdns-*</font></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">Pin: origin <a href="http://repo.powerdns.com">repo.powerdns.com</a></font></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">Pin-Priority: 600<br><br></font></blockquote></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">and execute the following commands:</font><font face="monospace"><br></font></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">curl <a href="https://repo.powerdns.com/CBC8B383-pub.asc">https://repo.powerdns.com/CBC8B383-pub.asc</a> | sudo apt-key add - &&</font></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">sudo apt-get update &&</font></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">sudo apt-get install pdns-server</font></blockquote></blockquote><br>There is nothing there about installing the preferred backend, but would I be correct in assuming I could extend that last line to read:<br><br><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">sudo apt install pdns-server pdns-backend-mysql</font></blockquote><br>I find the documentation on upgrading pdns (<a href="https://doc.powerdns.com/authoritative/upgrading.html">https://doc.powerdns.com/authoritative/upgrading.html</a>) to be highly contextual and difficult to follow, in that there does not appear to be procedures set forth to actually upgrade any distribution.<br><br>So instead of upgrading, do I first uninstall, remove and purge the old pdns 4.2.1 installation and then follow the installation of the latest master branch above?<br><br><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">apt-get --purge autoremove pdns-server pdns-backend-mysql </font></blockquote><br>I'm assuming as a backend, the apt-updated version of MySQL is adequate:<br><br><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace">mysql Ver 8.0.23-0ubuntu0.20.04.1 for Linux on x86_64 ((Ubuntu))</font></blockquote><br>... where all the domain and record information will persist.<br><br>I will respond about the other issues once I have the latest master branch installed, but for now let me clarify the ip addressing of my 3 servers - I have each server on a separate network from a separate provider, each with reverse dns established. Here are the 3 servers, their ip addresses and the name servers for each of the provider (upstream) networks:<br><br><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><font face="monospace"><a href="http://ns1.opensourceserver.io">ns1.opensourceserver.io</a> = 76.76.238.10<br></font><font face="monospace"><a href="http://dns2.lisco.com">dns2.lisco.com</a> 69.18.32.51<br></font><font face="monospace"><a href="http://dns1.lisco.com">dns1.lisco.com</a> 69.18.32.50<br></font><font face="monospace"><br></font><font face="monospace"><a href="http://ns2.opensourceserver.io">ns2.opensourceserver.io</a> = 207.177.51.156<br></font><font face="monospace"><a href="http://ns1.natel.net">ns1.natel.net</a> 207.177.74.108<br></font><font face="monospace"><a href="http://ns1.natel.com">ns1.natel.com</a> 207.177.74.118<br></font><font face="monospace"><br></font><font face="monospace"><a href="http://ns3.opensourceserver.io">ns3.opensourceserver.io</a> = 47.225.208.154<br></font><font face="monospace"><a href="http://rns01.charter.com">rns01.charter.com</a> 71.10.216.1<br> </font><font face="monospace"><a href="http://rns02.charter.com">rns02.charter.com</a> 71.10.216.2 </font></blockquote><br>Thanks in advance.<div><br></div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-family:arial;font-size:small"><div>Steve Garner</div><div>+1 302 364 0325 (USA)<br></div><div><a href="mailto:stevenjgarner@gmail.com">stevenjgarner@gmail.com</a></div></div></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 7, 2021 at 3:32 AM Brian Candler <<a href="mailto:b.candler@pobox.com">b.candler@pobox.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>On 07/05/2021 06:14, Steven Garner via
Pdns-users wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>I have a noob question about DNS forwarding - just
implemented pdns version 4.2.1 on three servers on separate
networks</div>
</div>
</blockquote>
<p>I have to ask: why are you implementing something which is
approaching end-of-life? PowerDNS Authoritative current version
is 4.4.x, and only two previous ones are maintained. Get the
current software from <a href="https://repo.powerdns.com/" target="_blank">https://repo.powerdns.com/</a> (ignore the
"master branch", this is bleeding-edge)<br>
</p>
<p><br>
</p>
<blockquote type="cite">
<div dir="ltr">
<div>, intending for one to be a master (primary) and the other
two to be slaves (secondaries). So far I love it, but I think
I may be doing something wrong with DNS forwarding.<br>
</div>
</div>
</blockquote>
<p>I am not sure what you mean by "DNS forwarding" in the context of
an authoritative server. It either answers, or it doesn't.<br>
</p>
<p><br>
</p>
<blockquote type="cite">
<div dir="ltr">
<div><br>
I have records for some 383 domains in MySQL as a backend.<br>
<br>
I have the master set up with:<br>
<br>
master=yes<br>
<br>
... and the slaves set up with:<br>
<br>
slave=yes<br>
<br>
... all in /etc/powerdns/pdns.conf<br>
<br>
Also the master/slave state is configured on a per domain
basis in the domains table with the type column set to either
MASTER or SLAVE respectively. The slave has the master node IP
addresses set for each domain in the master column in the
domains table.<br>
<br>
dig would seem to indicate that everything is working fine:<br>
<br>
==========================================<br>
<br>
dig soa <a href="http://opensourceserver.io" target="_blank">opensourceserver.io</a> @<a href="http://ns3.opensourceserver.io" target="_blank">ns3.opensourceserver.io</a><br>
<br>
</div>
</div>
</blockquote>
<p><br>
</p>
<p>Looking from here, ns3 doesn't work for me:</p>
<p>$ dig +norec soa <a href="http://opensourceserver.io" target="_blank">opensourceserver.io</a> @<a href="http://ns3.opensourceserver.io" target="_blank">ns3.opensourceserver.io</a><br>
<br>
; <<>> DiG 9.10.6 <<>> +norec soa
<a href="http://opensourceserver.io" target="_blank">opensourceserver.io</a> @<a href="http://ns3.opensourceserver.io" target="_blank">ns3.opensourceserver.io</a><br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: <b>REFUSED</b>,
id: 31728<br>
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 1232<br>
;; QUESTION SECTION:<br>
;<a href="http://opensourceserver.io" target="_blank">opensourceserver.io</a>. IN SOA<br>
<br>
;; Query time: 128 msec<br>
;; SERVER: 47.225.208.154#53(47.225.208.154)<br>
;; WHEN: Fri May 07 09:11:11 BST 2021<br>
;; MSG SIZE rcvd: 48</p>
<p><br>
</p>
<p>ns2 doesn't work for me either:<br>
</p>
<p>$ dig +norec soa <a href="http://opensourceserver.io" target="_blank">opensourceserver.io</a> @<a href="http://ns2.opensourceserver.io" target="_blank">ns2.opensourceserver.io</a><br>
</p>
<p>; <<>> DiG 9.10.6 <<>> +norec soa
<a href="http://opensourceserver.io" target="_blank">opensourceserver.io</a> @<a href="http://ns2.opensourceserver.io" target="_blank">ns2.opensourceserver.io</a><br>
;; global options: +cmd<br>
;; connection timed out; no servers could be reached<br>
<br>
</p>
<p>But ns1 does work:</p>
<p>$ dig +norec soa <a href="http://opensourceserver.io" target="_blank">opensourceserver.io</a> @<a href="http://ns1.opensourceserver.io" target="_blank">ns1.opensourceserver.io</a><br>
</p>
<p>...<br>
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<br>
...<br>
;; ANSWER SECTION:<br>
<a href="http://opensourceserver.io" target="_blank">opensourceserver.io</a>. 86400 IN SOA
<a href="http://ns1.opensourceserver.io" target="_blank">ns1.opensourceserver.io</a>. <a href="http://hostmaster.embode.net" target="_blank">hostmaster.embode.net</a>. 2021050501 10380
3600 1814400 3796<br>
</p>
<p><br>
</p>
<p>Given that ns1, ns2 and ns3 are all your own machines, then it's
up to you to fix them so that they respond authoritatively. My
first guess is that the master/slave replication isn't working;
look at logs on both sides. In the case of ns2 it may be
firewalled off, although it does respond to pings.<br>
</p>
<p>Incidentally, given that you are using powerdns exclusively, then
there's a better approach than master/slave for syncing zones.
You can use "native" replication: that is, in effect you configure
all three as primary, and sync the mysql databases using mysql's
own replication capabilities.</p>
<p>This will give you near-instantaneous replication, guarantees all
databases are identical, and avoid all issues with notifies,
authorizing AXFRs etc. For a new deployment I'd definitely
recommend it. However, if you want to use traditional
master/slave then it should work too. Check your configs and the
zones configured in your databases.</p>
<p>One other thing. Zone <a href="http://opensourceserver.io" target="_blank">opensourceserver.io</a> has nameservers within
the same zone (i.e. ns1/ns2/<a href="http://ns3.opensourceserver.io" target="_blank">ns3.opensourceserver.io</a>). This means
you need to be careful that all your glue records are correct as
well.<br>
</p>
<p>This is clearly broken at the moment:</p>
<p>$ dig +norec @<a href="http://a0.nic.io" target="_blank">a0.nic.io</a>. <a href="http://ns1.opensourceserver.io" target="_blank">ns1.opensourceserver.io</a>.<br>
...<br>
;; ADDITIONAL SECTION:<br>
<a href="http://ns1.opensourceserver.io" target="_blank">ns1.opensourceserver.io</a>. 86400 IN A 76.76.238.10<br>
<a href="http://ns2.opensourceserver.io" target="_blank">ns2.opensourceserver.io</a>. 86400 IN A 76.76.238.10<br>
<a href="http://ns3.opensourceserver.io" target="_blank">ns3.opensourceserver.io</a>. 86400 IN A 76.76.238.10<br>
</p>
<p>!!!!</p>
<p>But:</p>
<p>$ dig +short +norec @<a href="http://76.76.238.10" target="_blank">76.76.238.10</a> <a href="http://ns1.opensourceserver.io" target="_blank">ns1.opensourceserver.io</a>.<br>
76.76.238.10<br>
$ dig +short +norec @<a href="http://76.76.238.10" target="_blank">76.76.238.10</a> <a href="http://ns2.opensourceserver.io" target="_blank">ns2.opensourceserver.io</a>.<br>
207.177.51.156<br>
$ dig +short +norec @<a href="http://76.76.238.10" target="_blank">76.76.238.10</a> <a href="http://ns3.opensourceserver.io" target="_blank">ns3.opensourceserver.io</a>.<br>
47.225.208.154</p>
<p>This sort of inconsistency will bite you in the end, so make sure
you get it right. In this case you need to fix the glue records
with your registrar.<br>
</p>
<p>I can see from reverse DNS that these are the primary names for
those nameservers. When it comes to your other 382 domains: I
don't know what you've chosen to do, but it's easier and safer if
you point their NS records to ns1/ns2/<a href="http://ns3.opensourceserver.io" target="_blank">ns3.opensourceserver.io</a>,
rather then ns1/ns2/<a href="http://ns3.otherdomain.com" target="_blank">ns3.otherdomain.com</a>. The latter is known as
"vanity" nameservers, and will mean you have to sort glue out for
each domain as well.<br>
</p>
<p>Regards,</p>
<p>Brian.<br>
</p>
</div>
</blockquote></div>