[Pdns-users] recursor - pdns authoritative and axfr problem

Brian Candler b.candler at pobox.com
Tue Sep 25 10:10:04 UTC 2018

On 25/09/2018 10:45, Bernd Krueger-Knauber wrote:
>> All the recursors who query your
>> authoritative domains will get the AA flag, since they're querying an
>> authoritative server directly.
> Yes, and the pdns is also open for the complete internet, since it is
> the SOA and have to be reachable for all, and also open for all DoS attacks.
> So what is the difference to the 'open' recursor ?

powerdns-authoritative is not a recursor (recursive queries are refused).

For details of why open recursors are bad, see 

Authoritative nameservers obviously must answer queries from anyone, but 
they are harder to use as DoS amplifiers.

> SOA points to the a server which can answer the request with AA flag,
> since it is the master of this zone.
No.  SOA is not use in resolution.  It's the set of *NS* records within 
the zone which are authoritative for the zone, and which recursors can 
send queries to.

The SOA record contains a "master" nameserver and a contact E-mail 
address, but these are really just for human debugging purposes. (Well 
actually, NOTIFY and UPDATE requests should go to the master, but 
recursive resolution ignores this and follows the NS records only)

> The NS records points to servers which can give fast answers for this
> zone, but also for foreign zones.
That makes no sense.  The NS records for a zone point to authoritative 
servers for the zone.  Whether they are "fast" or not is irrelevant; 
they are the *only* servers which may be queried.

"Foreign" zone is meaningless.  An authoritative server will only answer 
for zones which it is authoritative for, and will respond with a REFUSED 
response for anything else.

> In general I still have no answer to the question why I get no AA flag
> via the recursor.

By definition, any answer from a recursive nameserver is not 
authoritative, because it did not come directly from the authoritative 
server.  Recursors are caches.  Cached data is not authoritative - it 
may be stale.

> Even if I split it to ifferent IPs I get only an AA flag from the pdns.
 From the pdns-authoritative server, correct.  That's how it's supposed 
to work.

> And still the problem: how can I tell the recursor from the database
> which domains are reachable via our own pdns.
> (to avoid that it calls an other nameserver)
Your recursor will follow the NS records, just like any other recursor, 
and therefore will it will find your authoritative nameserver(s) and get 
the answers from there.

If you really want, you can use domain forwarding rules in your recursor 
to tell it where to forward the queries; but why do that when the NS 
records do it automatically?



More information about the Pdns-users mailing list