[Pdns-users] How to set up pdns to allow NOTIFY, supermaster, and recursion to work?

Sun Nov 3 22:42:48 UTC 2019

Hi;

We're looking at moving from our current bind-based setup to using
pdns, in order to benefit from the API, web admin tools, and features
such as supermasters.  However, I'm having problems working out how the
4.x branch is supposed to be set up as the recursor and resolver are
separate processes.   Our setup has several separate environments with
their own DNS servers hosting secondaries for the main zone and also
their own zones; we also run a split DNS for these zones but a
different set of servers host the external DNS.

First I set up pdns on a host on port 53 with the various zones.  This
worked for notify and master/slave, and for the API and for the
superslave.  However
* No recursion and so cannot resolve anything not locally hosted (where
bind would just have 'forwarders' configured)

I have tried the suggested approach to having a recursor on port 53
which then forwards certain domains to a resolver on port 5300.
 However this breaks because
* Notify packets are dropped by the recursor, not passed on to the
resolver
* The recusor has to be explicitly told which domains to forward to the
resolver rather than knowing dynamically
* This does not seem to work correctly when subdomains are held
elsewhere

Next I tried using dnsdist over the top of both recursor and resolver
(on ports 5300 and 5301) to push on notify packets.  This works better,
but 
* supermaster breaks as notify packets come from localhost
* Even allowing localhost as a supermaster(!) breaks as the return SOA
requests to the dnsdist fail
* Again, the recursor AND dnsdist need to be reconfigured when adding a
new domain to the resolver, which breaks any API-based or supermaster-
based zone creation
* The dnsdist sends requests to the resolver for everything under a
domain but some subdomains should go elsewhere

I've tried adding a second IP to the DNS server and placing the
resolver on that, so that I can set up notify to send to this as an
additional IP, but this again breaks and becomes problematic as we then
have 2 IPs for a single nameserver.

Basically, what I'm trying is to get behaviour similar to the way that
bind and (I think) the 3.x branch worked, with one host that can
respond to all queries and receive notifies.  There doesn't seem to be
a setting in the recursor to say 'pass all zones that the resolver
knows about, and all notifies, to the resolver but the notifies need to
keep their original source IP'.

Is there a document detailing how to set up the various parts of pdns
to achieve this sort of behaviour and allow notify, supermaster, and
general lookups to work?  Note that we're using master/slave
replication rather than mysql replication as not all zones are hosted
on all servers.  We're also trying to keep the network side simple.

Thanks for any pointers;

Steve

-- 
Steve Shipway | Senior Email Systems Administrator 
Phone: +64 9 302 0515 Fax: +64 9 302 0518 
Freephone: 0800 SMX SMX (769 769) 
SMX Limited: Level 10, 19 Victoria Street West, Auckland, New Zealand 
Web: http://smxemail.com 

_____________________________________________________________________________

This email has been filtered by SMX. For more info visit http://smxemail.com
_____________________________________________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20191104/2c63fd82/attachment.htm>