[Pdns-users] Fwd: Re: Recursion when Powerdns auth servers is SOA
Rory Toma
rory at ooma.com
Thu Jan 12 02:07:16 UTC 2012
Hmm... got powerdns to start up now, but it does not send out queries to
the recursor in this version, either for me. I have twiddled the
allow-recursion-override and lazy recursion, but no luck.
On 1/11/12 7:03 AM, Parish, Brent wrote:
>
> I ended up having to go back to 2.9.22 to make this work. L
>
> In our case, we have Windows (Active Directory/DNS) housing some of
> the (internal) domain, and PowerDNS storing other records.
>
> To make Windows happy, it is authoritative over a subdomain (e.g.
> sub.example.com), while PowerDNS handles the parent example.com.
>
> The issue we especially run into is reverse (PTR) records. In our
> environment, hosts from both domains are in the same IP range (e.g.
> 10.10.128.x).
>
> Sooo, when you go for a reverse lookup on 10.10.128.45 (for example),
> we get into trouble with DNS servers being authoritative over that
> reverse zone (e.g. 128.10.10.in-addr.arpa), because that record might
> live in Windows or PowerDNS.
>
> In addition, we also have some (public IP) records hosted outside our
> firewall (but still using the internal example.com domain name
> space). If I use the old PowerDNS, it doesn't matter that those
> records are hosted elsewhere but within the internal name space --
> PowerDNS doesn't know the answer and simply recourses it out for
> resolution.
>
> That's why I really like the old PowerDNS ability to consult other DNS
> servers for answers, even within a domain that PowerDNS is considered
> "authoritative" for -- its an awesome feature we rely on very heavily
> here!!!! =)
>
> I don't have a clue how easy or hard that would be to code, but I
> would love it if that was still available in the new (3.x) PowerDNS!!!
>
> Perhaps even if it was just an option you could toggle on and off (off
> by default to save on the confusion you mentioned).
>
> Just my 2 cents.
>
> Thanks,
>
> Brent
>
> *From:*pdns-users-bounces at mailman.powerdns.com
> [mailto:pdns-users-bounces at mailman.powerdns.com] *On Behalf Of *Rory Toma
> *Sent:* Tuesday, January 10, 2012 6:44 PM
> *To:* pdns-users at mailman.powerdns.com
> *Subject:* [Pdns-users] Fwd: Re: Recursion when Powerdns auth servers
> is SOA
>
> I noticed I failed to reply to the list...
>
>
> -------- Original Message --------
>
> *Subject: *
>
>
>
> Re: [Pdns-users] Recursion when Powerdns auth servers is SOA
>
> *Date: *
>
>
>
> Tue, 10 Jan 2012 14:56:13 -0800
>
> *From: *
>
>
>
> Rory Toma <rory at ooma.com> <mailto:rory at ooma.com>
>
> *To: *
>
>
>
> bert hubert <bert.hubert at netherlabs.nl> <mailto:bert.hubert at netherlabs.nl>
>
>
>
> On 1/10/12 2:48 PM, bert hubert wrote:
>
> On Jan 10, 2012, at 11:37 PM, Rory Toma wrote:
>
>
>
> "To make sure that the local authoritative database overrides
> recursive information, PowerDNS first tries to answer a question from
> its own database. If that succeeds, the answer packet is sent back
> immediately without involving the recursor in any way. This means that
> for questions for which there is no answer, PowerDNS will consult the
> recursor for an recursive query, even if PowerDNS is authoritative for
> a domain! This will only cause problems if you 'fake' domains which
> don't really exist."
>
> What I want to do is have powerdns consult the recursor even of
> powerdns is authoritative for a domain. This is what I can' seem to
> get to work.
>
> I think we no longer do this, and that the documentation is in that
> case out of date. It complicated things too badly.
>
> If you want to override the internet, you may have more success the
> other way around, put a PowerDNS Recursor with specific authoritative
> data as an auth server.
>
> Bert
>
>
> I'll explain my problem in a little more detail, and then perhaps
> suggestions can flow:
>
> We are using dns as a registration system. Devices contact a server
> and register, a dns record is created. For the sake of this
> discussion, I'll refer to this as old registration system (bind and
> old registration servers) and new registration system (powerdns and
> new server)
>
> Many "apps" need to look up the information in dns, we have a
> keepalived fault tolerant IP address that points to a name server
> (currently bind), but we'd like to switch this to powerdns. However,
> we can't just switch all the dns records over at once, there has to be
> a transition period. So, we'd like to switch over to powerdns and new
> registration server. All new records will exist in powerdns.
> Eventually, all the old records will migrate as clients re-register.
>
> So, when someone queries the new server, it needs to look up the data
> first in powerdns, and if it isn't there, recurse.
>
> I tried putting the powerdns recursor in front. It did not work for
> me, as each backend server thinks it is authoritative. So if it
> happens to query that one first, it returns NXDOMAIN and never looks
> at the next one in the list.
>
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120111/5df5aa02/attachment-0001.html>
More information about the Pdns-users
mailing list