[Pdns-users] Old 3.3.1-1 to 4.1.3 Authoritative and Recursor issue

Steven Spencer steven.spencer at kdsi.com
Mon Jul 2 17:25:27 UTC 2018 

On 07/02/2018 12:08 PM, Walter Parker wrote:
>
> On Mon, Jul 2, 2018 at 8:21 AM, Steven Spencer
> <steven.spencer at kdsi.com <mailto:steven.spencer at kdsi.com>> wrote:
>
>     Greetings,
>
>     We have been using PowerDNS for a very long time. I've converted
>     from several older versions to new ones and separated our recursor
>     from our authoritative server about 6 years ago. We are also a
>     small IT shop, so sometimes things get behind, which is where we
>     are at the moment with PDNS.
>
>     What I'm trying to get my mind around is the changes to how the
>     recursive server communicates with the authoritative server. In an
>     attempt to take our new servers live last night, our authoritative
>     server would answer for domains that we are authoritative for, but
>     would not answer for anything that required the recursor. The
>     recursor, however, answered just fine for everything, but showed
>     everything as a Non-authoritative answer, even for things that we
>     are authoritative for. In reading the documents, I came across the
>     *"Migrating from using recursion on the Authoritative Server to
>     using a Recursor"
>     *(https://doc.powerdns.com/authoritative/guides/recursion.html
>     <https://doc.powerdns.com/authoritative/guides/recursion.html>)
>     article which I initially discounted, as we have, again, been
>     running separate recursor's and authoritative servers for quite a
>     few years. The removal of the ability to specify the recursor
>     within the pdns.conf, seems to have changed the entire dynamic of
>     the request/reply framework. (we used the recursor= to specify the
>     recursor's address which resided on its own hardware). Up to this
>     point, our authoritative server has had the publicly advertised
>     DNS address, but if I'm reading this article correctly, it /looks/
>     like we need to switch the recursor to run as the IP of what we
>     have published as our DNS address. So, my questions are:
>
>     * Is this the case, do I need to change my IP scheme so that the
>     recursor(s) for our domain actually have the IP address of the
>     published DNS servers?
>
> At the DNS register, add the host name of the authoritative server
> (which should be pointed at a separate IP address from the recursive
> server). The recursor IP address is not published as a name server.
> The recusor is added to /etc/resolv.conf and to the DHCP server as the
> local DNS server.
That server is already there and published and the recursor is already
separate as indicated
>
>     * If so, is it OK that answers will show up on the recursor as
>     non-authoritative even if we are indeed authoritative for the domain?
>
> Recursors are never authoritative in a split model. Only the
> authoritative server is (hence the name). The recusror looks up the
> DNS information at the authoritative (just like everyone else). You
> override the recursor to pull DNS directly from your 
> authoritative server, but hat is not required.
Which is what I assumed when I took this live last night and then backed
it out.
>
>     * finally, does this adversely affect the way that the root DNS
>     servers communicate with our zone?
>
> Root server don't communicate to you, they respond  to DNS requests as
> authoritative severs, just like any other authoritative server.
>
OK, so this is again what I assumed last night when I attempted to take
this live.

Walter, I appreciate your response. What I'm hearing is that the IP of
the authoritative server as already registered, should be correct with
no need to change it. The recursors would be used as local dns servers
(i.e., in your example /etc/resolv.conf), which if you are using your
own DNS currently on devices in your organization, would mean a
fork-lift upgrade to use the recursors instead. I'm also hearing that
querying your authoritative DNS for something that it is not
authoritative for, should in fact return refused.

As long as the recursor does return the correct information (as ours
did) can we assume that things are working? Is there a good way to make
sure that the authoritative server is properly configured before an
actual go-live? (testing methodology)

Thanks again for your response.
>
>     Thanks in advance,
>
>     -- 
>     -- 
>     Steven G. Spencer, Network Administrator
>     KSC Corporate - The Kelly Supply Family of Companies
>     Office 308-382-8764 Ext. 1131
>     Mobile 402-765-8010 
>
>
>     _______________________________________________
>     Pdns-users mailing list
>     Pdns-users at mailman.powerdns.com
>     <mailto:Pdns-users at mailman.powerdns.com>
>     https://mailman.powerdns.com/mailman/listinfo/pdns-users
>     <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
>
>
> Walter
>
> -- 
> The greatest dangers to liberty lurk in insidious encroachment by
> men of zeal, well-meaning but without understanding.   -- Justice
> Louis D. Brandeis


-- 
-- 
Steven G. Spencer, Network Administrator
KSC Corporate - The Kelly Supply Family of Companies
Office 308-382-8764 Ext. 1131
Mobile 402-765-8010 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180702/3fb154a5/attachment-0001.html>

More information about the Pdns-users mailing list