[Pdns-users] Managing pdns-recursors forward.zones file
Thomas Mieslinger
miesi at pc-h.de
Mon Jan 7 09:02:33 UTC 2013
Hello Peter,
On 04.01.13 09:06, Peter van Dijk wrote:
> Hello Thomas,
>
> On Jan 3, 2013, at 20:21 , Thomas Mieslinger wrote:
>
>> currently my team mates and I use a script to build a (currently) 423 lines long forward.zones file.
>> Every time we need to touch it we have fear to break things really fast.
>
> Why?
We have 12 recursor (this year growing to 20) boxes each with four
instances with different configuration. When we need to change something
in the forward.zones file, then we edit files in puppet, have to log
into every machine to do the puppet run by hand and watch it doing things.
Maybe this is home made problem and we should use puppet differently so
that we regain trust in it but after all this is a philosophical question.
Where do we manage dns data? In Puppet or somewhere else? For our 4000
Zones we've decided "some where else". So I'd like to be able to manage
the forward.zones "just like" dns data...
>> So I'm thinking about two solutions:
>> - I could add functionality to my employers new ip address and dns management tool to manage forward.zone files.
>> - I could regular download the root-zone file, strip dnssec from it, append information for the 423 forward.zones and load it into our pdns-authoritative servers and shorten the forward.zones to
>> ".=<pdns-authoritative-IPs>"
>>
>> Has anyone already tried the second method? Do you think that could work?
>
>
> A simplified version of that file might look like this (I presume, please correct me if I'm wrong!)
> . SOA ....
> com. IN NS a.gtld-servers.net.
> hotmail.com. IN NS ns.pc-h.de.
>
> If the recursor asks for www.google.com, it will get the com referral, and cache that. If it *then* needs www.hotmail.com, it will presumably use that cached com referral. I have not tried this but I have the feeling this is where it would go wrong.
Thanks for the hint with the simplified root zone. I'll create a test
setup and hope that the authoritative Server can handle the load for all
the '.' queries. Probably the authoritative Server will regularly die
with "may-queue-length exceeded"....
Best regards
Thomas
More information about the Pdns-users
mailing list