[Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.

Stefan Schmidt zaphodb at zaphods.net
Thu Jul 21 17:56:50 UTC 2011

On Thu, Jul 21, 2011 at 6:38 PM, Chris Russell
<Chris.Russell at knowledgeit.co.uk> wrote:

>  So the question then becomes, can I run 2 gmysql backends, one for sec one for not. Docs don't really tell me this, especially preferably in the same database.

Ah sorry i didn't read all the way down to your question.

No you cannot.
The reason for that is that backends are exhausted for zone content in
the order in which they are specified in the launch statement and the
for loop breaks after the first backend answers something else than 'i
don't know', so the first to answer 'wins' one could say.
This means that your 'sec' backend will always answer first for the
content of the database.

However you don't need to serve the data via a dedicated 'sec' and
'non sec' backend as even if dnssec is enabled for a backend PowerDNS
will still serve that domain without dnssec perfectly normal.

Please compare the output of
dig soa zaphods.net @mandelbrot.zaphods.net +norec
dig soa zaphods.net @mandelbrot.zaphods.net +norec +dnssec

Enabling DNSSEC for a domain does not mean that a name server will
cease serving regular DNS content and protocol, it just means that it
will respond differently when 'DNSSEC OK' (DO) bit is set for a query.

Running `pdnssec rectify-zone wibble.com` will just add the 'mail' to
the ordername column of your records table btw. With DNSSEC in
non-narrow mode you need to run this whenever you change a record. I
suspect running it might already solve your problem.


More information about the Pdns-users mailing list