[Pdns-users] Fwd: Re: Recursion when Powerdns auth servers is SOA

Rory Toma rory at ooma.com
Thu Jan 12 02:07:16 UTC 2012


Hmm... got powerdns to start up now, but it does not send out queries to 
the recursor in this version, either for me. I have twiddled the 
allow-recursion-override and lazy recursion, but no luck.

On 1/11/12 7:03 AM, Parish, Brent wrote:
>
> I ended up having to go back to 2.9.22 to make this work. L
>
> In our case, we have Windows (Active Directory/DNS) housing some of 
> the (internal) domain, and PowerDNS storing other records.
>
> To make Windows happy, it is authoritative over a subdomain (e.g. 
>  sub.example.com), while PowerDNS handles the parent example.com.
>
> The issue we especially run into is reverse (PTR) records.  In our 
> environment,  hosts from both domains are in the same IP range (e.g. 
> 10.10.128.x).
>
> Sooo, when you go for a reverse lookup on 10.10.128.45 (for example), 
> we get into trouble with DNS servers being authoritative over that 
> reverse zone (e.g. 128.10.10.in-addr.arpa), because that record might 
> live in Windows or PowerDNS.
>
> In addition, we also have some (public IP)  records hosted outside our 
> firewall (but still using the internal example.com domain name 
> space).  If I use the old PowerDNS, it doesn't matter that those 
> records are hosted elsewhere but within the internal name space -- 
> PowerDNS doesn't know the answer and simply recourses it out for 
> resolution.
>
> That's why I really like the old PowerDNS ability to consult other DNS 
> servers for answers, even within a domain that PowerDNS is considered 
> "authoritative" for -- its an awesome feature we rely on very heavily 
> here!!!!  =)
>
> I don't have a clue how easy or hard that would be to code, but I 
> would love it if that was still available in the new (3.x) PowerDNS!!!
>
> Perhaps even if it was just an option you could toggle on and off (off 
> by default to save on the confusion you mentioned).
>
> Just my 2 cents.
>
> Thanks,
>
> Brent
>
> *From:*pdns-users-bounces at mailman.powerdns.com 
> [mailto:pdns-users-bounces at mailman.powerdns.com] *On Behalf Of *Rory Toma
> *Sent:* Tuesday, January 10, 2012 6:44 PM
> *To:* pdns-users at mailman.powerdns.com
> *Subject:* [Pdns-users] Fwd: Re: Recursion when Powerdns auth servers 
> is SOA
>
> I noticed I failed to reply to the list...
>
>
> -------- Original Message --------
>
> *Subject: *
>
> 	
>
> Re: [Pdns-users] Recursion when Powerdns auth servers is SOA
>
> *Date: *
>
> 	
>
> Tue, 10 Jan 2012 14:56:13 -0800
>
> *From: *
>
> 	
>
> Rory Toma <rory at ooma.com> <mailto:rory at ooma.com>
>
> *To: *
>
> 	
>
> bert hubert <bert.hubert at netherlabs.nl> <mailto:bert.hubert at netherlabs.nl>
>
>
>
> On 1/10/12 2:48 PM, bert hubert wrote:
>
> On Jan 10, 2012, at 11:37 PM, Rory Toma wrote:
>
>
>
> "To make sure that the local authoritative database overrides 
> recursive information, PowerDNS first tries to answer a question from 
> its own database. If that succeeds, the answer packet is sent back 
> immediately without involving the recursor in any way. This means that 
> for questions for which there is no answer, PowerDNS will consult the 
> recursor for an recursive query, even if PowerDNS is authoritative for 
> a domain! This will only cause problems if you 'fake' domains which 
> don't really exist."
>
> What I want to do is have powerdns consult the recursor even of 
> powerdns is authoritative for a domain. This is what I can' seem to 
> get to work.
>
> I think we no longer do this, and that the documentation is in that 
> case out of date. It complicated things too badly.
>
> If you want to override the internet, you may have more success the 
> other way around, put a PowerDNS Recursor with specific authoritative 
> data as an auth server.
>
> Bert
>
>
> I'll explain my problem in a little more detail, and then perhaps 
> suggestions can flow:
>
> We are using dns as a registration system. Devices contact a server 
> and register, a dns record is created. For the sake of this 
> discussion, I'll refer to this as old registration system (bind and 
> old registration servers) and new registration system (powerdns and 
> new server)
>
> Many "apps" need to look up the information in dns, we have a 
> keepalived fault tolerant IP address that points to a name server 
> (currently bind), but we'd like to switch this to powerdns. However, 
> we can't just switch all the dns records over at once, there has to be 
> a transition period. So, we'd like to switch over to powerdns and new 
> registration server. All new records will exist in powerdns. 
> Eventually, all the old records will migrate as clients re-register.
>
> So, when someone queries the new server, it needs to look up the data 
> first in powerdns, and if it isn't there, recurse.
>
> I tried putting the powerdns recursor in front. It did not work for 
> me, as each backend server thinks it is authoritative. So if it 
> happens to query that one first, it returns NXDOMAIN and never looks 
> at the next one in the list.
>
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120111/5df5aa02/attachment.html>


More information about the Pdns-users mailing list