[Pdns-users] Fwd: Re: Recursion when Powerdns auth servers is SOA

Rory Toma rory at ooma.com
Wed Jan 11 00:22:47 UTC 2012

To be clear, in our case, the exact same data is returned, just from 
different sources.

On 1/10/12 4:21 PM, Chris Moates wrote:
> We have a different use case but similar situation. In our case, we 
> are (unfortunately) using the same domain both internally and 
> externally. So some entries only exist internally, some only 
> externally, and some both, but with different IP's. Here's an example:
> web1.domain.com <http://web1.domain.com> has a 10.x and 208.x address, 
> depending on if you're outside or inside.
> www.domain.com <http://www.domain.com> only exists externally
> database.domain.com <http://database.domain.com> only exists internally
> What I'd like to do is have our internal DNS servers try asking the 
> outside DNS servers when they don't have a record. What we have to do 
> now is copy the relevant records across and maintain them in two 
> places. Previously, we had accomplished this with Bind's split views, 
> but that had it's own share of issues.
> I've toyed with implementing a backend that would query the external 
> server, as it seems my best option. I just haven't gotten to 
> completing it yet. Sort of a "also ask this DNS server" backend.
> Cheers,
> Chris
> On Tue, Jan 10, 2012 at 6:44 PM, Rory Toma <rory at ooma.com 
> <mailto:rory at ooma.com>> wrote:
>     I noticed I failed to reply to the list...
>     -------- Original Message --------
>     Subject: 	Re: [Pdns-users] Recursion when Powerdns auth servers is
>     SOA
>     Date: 	Tue, 10 Jan 2012 14:56:13 -0800
>     From: 	Rory Toma <rory at ooma.com> <mailto:rory at ooma.com>
>     To: 	bert hubert <bert.hubert at netherlabs.nl>
>     <mailto:bert.hubert at netherlabs.nl>
>     On 1/10/12 2:48 PM, bert hubert wrote:
>>     On Jan 10, 2012, at 11:37 PM, Rory Toma wrote:
>>>     "To make sure that the local authoritative database overrides
>>>     recursive information, PowerDNS first tries to answer a question
>>>     from its own database. If that succeeds, the answer packet is
>>>     sent back immediately without involving the recursor in any way.
>>>     This means that for questions for which there is no answer,
>>>     PowerDNS will consult the recursor for an recursive query, even
>>>     if PowerDNS is authoritative for a domain! This will only cause
>>>     problems if you 'fake' domains which don't really exist."
>>>     What I want to do is have powerdns consult the recursor even of
>>>     powerdns is authoritative for a domain. This is what I can' seem
>>>     to get to work.
>>     I think we no longer do this, and that the documentation is in
>>     that case out of date. It complicated things too badly.
>>     If you want to override the internet, you may have more success
>>     the other way around, put a PowerDNS Recursor with specific
>>     authoritative data as an auth server.
>>     Bert
>     I'll explain my problem in a little more detail, and then perhaps
>     suggestions can flow:
>     We are using dns as a registration system. Devices contact a
>     server and register, a dns record is created. For the sake of this
>     discussion, I'll refer to this as old registration system (bind
>     and old registration servers) and new registration system
>     (powerdns and new server)
>     Many "apps" need to look up the information in dns, we have a
>     keepalived fault tolerant IP address that points to a name server
>     (currently bind), but we'd like to switch this to powerdns.
>     However, we can't just switch all the dns records over at once,
>     there has to be a transition period. So, we'd like to switch over
>     to powerdns and new registration server. All new records will
>     exist in powerdns. Eventually, all the old records will migrate as
>     clients re-register.
>     So, when someone queries the new server, it needs to look up the
>     data first in powerdns, and if it isn't there, recurse.
>     I tried putting the powerdns recursor in front. It did not work
>     for me, as each backend server thinks it is authoritative. So if
>     it happens to query that one first, it returns NXDOMAIN and never
>     looks at the next one in the list.
>     _______________________________________________
>     Pdns-users mailing list
>     Pdns-users at mailman.powerdns.com
>     <mailto:Pdns-users at mailman.powerdns.com>
>     http://mailman.powerdns.com/mailman/listinfo/pdns-users
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120110/bfb19393/attachment.html>

More information about the Pdns-users mailing list