[Pdns-users] Old 3.3.1-1 to 4.1.3 Authoritative and Recursor issue
walterp at gmail.com
Mon Jul 2 17:08:05 UTC 2018
On Mon, Jul 2, 2018 at 8:21 AM, Steven Spencer <steven.spencer at kdsi.com>
> We have been using PowerDNS for a very long time. I've converted from
> several older versions to new ones and separated our recursor from our
> authoritative server about 6 years ago. We are also a small IT shop, so
> sometimes things get behind, which is where we are at the moment with PDNS.
> What I'm trying to get my mind around is the changes to how the recursive
> server communicates with the authoritative server. In an attempt to take
> our new servers live last night, our authoritative server would answer for
> domains that we are authoritative for, but would not answer for anything
> that required the recursor. The recursor, however, answered just fine for
> everything, but showed everything as a Non-authoritative answer, even for
> things that we are authoritative for. In reading the documents, I came
> across the *"Migrating from using recursion on the Authoritative Server
> to using a Recursor" *(https://doc.powerdns.com/authoritative/guides/
> recursion.html) article which I initially discounted, as we have, again,
> been running separate recursor's and authoritative servers for quite a few
> years. The removal of the ability to specify the recursor within the
> pdns.conf, seems to have changed the entire dynamic of the request/reply
> framework. (we used the recursor= to specify the recursor's address which
> resided on its own hardware). Up to this point, our authoritative server
> has had the publicly advertised DNS address, but if I'm reading this
> article correctly, it /looks/ like we need to switch the recursor to run as
> the IP of what we have published as our DNS address. So, my questions are:
> * Is this the case, do I need to change my IP scheme so that the
> recursor(s) for our domain actually have the IP address of the published
> DNS servers?
At the DNS register, add the host name of the authoritative server (which
should be pointed at a separate IP address from the recursive server). The
recursor IP address is not published as a name server. The recusor is added
to /etc/resolv.conf and to the DHCP server as the local DNS server.
> * If so, is it OK that answers will show up on the recursor as
> non-authoritative even if we are indeed authoritative for the domain?
Recursors are never authoritative in a split model. Only the authoritative
server is (hence the name). The recusror looks up the DNS information at
the authoritative (just like everyone else). You override the recursor to
pull DNS directly from your authoritative server, but hat is not required.
> * finally, does this adversely affect the way that the root DNS servers
> communicate with our zone?
Root server don't communicate to you, they respond to DNS requests as
authoritative severs, just like any other authoritative server.
Thanks in advance,
> Steven G. Spencer, Network Administrator
> KSC Corporate - The Kelly Supply Family of Companies
> Office 308-382-8764 Ext. 1131
> Mobile 402-765-8010
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users