[Pdns-users] LDAP backend + recursor: how to interoperate?

[John Morris]

I've been using PowerDNS for many years now with the LDAP backend 
(probably since the LDAP backend was new), and it's always worked very 
well.  There is one problem I've never solved, though, and a search of 
the list hasn't revealed a solution.

When I first started, I used to set up intranet DNS such that queries 
went to the authoritative nameserver, and if it couldn't answer the 
question, they would be forwarded to the recursor.  This looks like a 
common setup, since the docs say to put the recursor on port 5353, from 
where it only answers question to the authoritative nameserver.  This is 
how I would like to have things work, except for a problem.  If pdns is 
set up to be authoritative for foobar.com, but a record for 
blahblah.foobar.com isn't in the LDAP backend, it will forward the 
question to the recursor.  I'd rather tell pdns that it is authoritative 
for foobar.com, and if blahblah.foobar.com doesn't exist, to return a 
SERVFAIL.

To get around this, I arranged the two servers in opposite order.  
Intranet hosts are pointed to the recursor, and the recursor has 
forward-zones pointers to the internal authoritative servers.  This 
works well, except that at our current company, we are constantly adding 
and removing machines, and our networks are all behind dynamic internet 
IP addresses.  Although the TTLs are set to low values, it still causes 
some inconvenience during the periods when the cache is stale.

What is the best way to set this up?  The first scenario would be best 
if there is a way to tell pdns never to forward queries for 
authoritative zones.  Like I say, I've been using pdns for quite a 
while, so just a pointer would be great.  Thank you-

    John