[Pdns-users] Managing pdns-recursors forward.zones file

Thomas Mieslinger miesi at pc-h.de
Mon Jan 7 09:02:33 UTC 2013

Hello Peter,

On 04.01.13 09:06, Peter van Dijk wrote:
> Hello Thomas,
> On Jan 3, 2013, at 20:21 , Thomas Mieslinger wrote:
>> currently my team mates and I use a script to build a (currently) 423 lines long forward.zones file.
>> Every time we need to touch it we have fear to break things really fast.
> Why?

We have 12 recursor (this year growing to 20) boxes each with four 
instances with different configuration. When we need to change something 
in the forward.zones file, then we edit files in puppet, have to log 
into every machine to do the puppet run by hand and watch it doing things.
Maybe this is home made problem and we should use puppet differently so 
that we regain trust in it but after all this is a philosophical question.
Where do we manage dns data? In Puppet or somewhere else? For our 4000 
Zones we've decided "some where else". So I'd like to be able to manage 
the forward.zones "just like" dns data...

>> So I'm thinking about two solutions:
>> - I could add functionality to my employers new ip address and dns management tool to manage forward.zone files.
>> - I could regular download the root-zone file, strip dnssec from it, append information for the 423 forward.zones and load it into our pdns-authoritative servers and shorten the forward.zones to
>> ".=<pdns-authoritative-IPs>"
>> Has anyone already tried the second method? Do you think that could work?
> A simplified version of that file might look like this (I presume, please correct me if I'm wrong!)
> . SOA ....
> com. IN NS a.gtld-servers.net.
> hotmail.com. IN NS ns.pc-h.de.
> If the recursor asks for www.google.com, it will get the com referral, and cache that. If it *then* needs www.hotmail.com, it will presumably use that cached com referral. I have not tried this but I have the feeling this is where it would go wrong.

Thanks for the hint with the simplified root zone. I'll create a test 
setup and hope that the authoritative Server can handle the load for all 
the '.' queries. Probably the authoritative Server will regularly die 
with "may-queue-length exceeded"....

Best regards


More information about the Pdns-users mailing list