[Pdns-users] powerdns 4.1 recursive queries architecture change

Alain RICHARD alain.richard at equation.fr
Thu Jan 25 16:50:29 UTC 2018

Hi Brian,

I completly agree with you that it make sense for medium to large ISP needs to separate resolver from auth servers for several reasons.

My point was that the powerdns architecture and its good API make it a very interesting for small ISP or small to medium size enterprises : you may have it integrated with other products such as domain management systems, IPAM products, DHCP servers or Web management panels. So perhaps it is too bad to target the product only for large ISP needs.

Also about your example of a customer move the domain to an other, I don’t think this is solve by the separation of recursor and auth server as you will have to remove the forwarding zones from the recursor and/or the dnsdist processes in order to correct the problem.

Best regards,


> Le 23 janv. 2018 à 09:58, Brian Candler <B.Candler at pobox.com> a écrit :
> There are several reasons why it is best practice to separate your nameservers (even when using bind, you should have two separate instances).  In my experience, the number one problem with mixing recursor and auth at ISP scale is when people move their domains away.
> Suppose a customer has their domain "example.com <http://example.com/>" on your DNS service.  Some time later they move the domain away to a different ISP, changing the delegating in the registry without telling you. This leaves you with an old, stale authoritative zone on your DNS.
> If the caches and authoritative are the same boxes, then *your* customers will still be seeing data from the stale zone, whilst the rest of the Internet sees the correct data for example.com <http://example.com/>.  This can lead to problems which are really hard to debug; e.g. your customers can't send mail to example.com <http://example.com/>, but example.com <http://example.com/> is unaware of any issue (because mail works fine to everyone else).  So it hits *your* support desk.
> However, if your auth and recursors are separate, there is no problem.  Your recursors follow the delegation to the new authoritative servers at the other ISP; and nobody ever queries the stale example.com <http://example.com/> zone on your authoritative server, because there is no delegation to it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180125/0e5feaa8/attachment.html>

More information about the Pdns-users mailing list