[Pdns-users] powerdns 4.1 recursive queries architecture change
Alain RICHARD
alain.richard at equation.fr
Fri Jan 19 17:36:43 UTC 2018
Hi,
I am using up to now pdns-4.0.x and pdns-recursor-4.0.x as a simple replace for bind installations at customers sites.
The setup I am using is to keep master/slave replication as I need to replicate zones from other master servers (linux or windows) and the DHCP server is doing dynamic DNS updates to the master direct and reverse zones (RFC 2136).
So mainly I configure the following :
- pdns is listening on port 53
- pdns-recursor is listening on port 5301
- pdns configured to forward recursive queries to the recursor on port 5301
- dhcp server (isc dhcp) configured to do RFC2136 dns updates
I just tried out the new version 4.1 and see that there is a major architecture change : the pdns server is not able to forward recursive queries to the recursor.
So the proposed solutions :
Scenario 1 : the recursor is on port 53 and forward queries from known zones to the authoritative pdns on port 5300
Scenario 2 : the dnsdist is on port 53, forward queries from known zones to the authoritative pdns on port 5300, and forward recursive queries to the recursor on port 5301
I see several problems with theses setups :
Scenario 1 :
- you cannot have master/slave replications because recursor do not forward AXFR/IXFR/NOTIFY to the authoritative server
- you cannot have RFC 2136 dns updates as recursor do not forward UPDATE to the authoritative server
- you cannot keep using ISC DHCP server because you cannot specify an other port than 53 for the destination of UPDATE (it is possible with the new KEA server, supposed to replace ISC DHCP)
- you must edit the recursor settings each time you add a new zone to the authoritative server
- this breaks the supermasters architecture as there is no NOTIFY forwarding, and even if there was, the recursor need to be edited to forward the new zones
Scenario 2 :
- AXFR/IXFR/NOTIFY are forwarded by the authoritative server, but the presented address is the one of the dnsdist server and not of the original master
- RFC 2136 UPDATE are forwarded, using the dnsdist server address
- you must edit the recursor settings each time you add a new zone to the authoritative server
- you must edit the dnsdist settings each time you add a new zone to the authoritative server
- you must edit the dnsdist settings each time you change the NS entries on an authoritative zone (for example by adding a slave server)
- this breaks the supermasters architecture because the dnsdist and recursor settings must be manually updated to forward the new zones
I have tried the various solutions, even changing with some success the ISC DHCP server with the new kea server, but I am now convinced that I cannot have master/slave/supermaster/update functionnalities on 4.1 version without a major change on the customer server and PC setup.
I well understand theses architecture change were done to improve performance on big setups (ISP or large companies), and that also you may separate each processes using separate IP addresses and having them all using the default port 53, but this will also makes pdns not a good replacement for most of our customers that have more simple needs.
So for the moment I will keep the 4.0 version, but I hope the 4.1.x and later versions will get back the possibility to have the authoritative server forwarding to the recursor.
Regards,
Alain RICHARD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180119/5eee1331/attachment.html>
More information about the Pdns-users
mailing list