[Pdns-users] Authoritative vs Recursor

[Daniel L. Miller]

On 1/14/2012 8:46 AM, Peter van Dijk wrote:
> Hello Daniel,
>
> On Jan 14, 2012, at 11:57 , Daniel L. Miller wrote:
>
>> I'm confused as to the proper pairing of the authoritative server vs the recursor.  I have a small LAN and provide authoritative DNS for a handful of sites.  In the past, using other DNS software (djbdns), my configuration was:
>>
>> 1.  An authoritative server for Internet domain names hosted by me.  Reachable by internet clients.
>> 2.  An authoritative server for internal domain names.  Only visible to the LAN recursor.
>> 3.  A caching recursive server, accessible by the LAN clients, that had a list of local authoritative servers&  domains as well as direct queries to the Internet.
>>
>> So my authoritative Internet server was reachable via public IP, my internal authoritative listened on localhost, and my internal caching recursor was pushed via DHCP to my LAN clients.  I have setup a similar configuration using pdns - the authoritative is reachable via public IP, and the recursor has a forward-zone file and is pushed to the clients via DHCP.  So my LAN clients query the recursor - not the pdns authoritative server.
>>
>> My question - this works, but is it "correct" usage with pdns?
> Yes, this is a fine setup. LAN clients (workstations) cannot talk directly to auths (unless those auths also proxy to a recursor).
>
> There is one possible variant (that djbdns would not support): if you use 'auth-zones=' in recursor.conf, you can do without the internal auth.
>

Where I'm confused is it APPEARS pdns is designed to work the other way 
- with a visible auth server which contacts the recursor when required.  
Does it matter?

-- 
Daniel