[Pdns-users] pdns + recursor + master / slave

Stef Coene stef.coene at docum.org
Sun Feb 2 22:17:29 UTC 2020

On 2020-02-02 18:43, Mike wrote:
> On 2/1/20 9:13 AM, Stef Coene wrote:
>      Typically, what you really want, is to separate the functions of
> 'authoritative server' and 'recursive resolver', which means that each
> are handled on separate IP addresses.  Bind did/does allow this setup
> and has extensive access controls to sort of make it work, but from an
> operational perspective, it's a really bad idea. The essential reason is
> that combining these functions means that you are essentially overriding
> the internet roots with respect to your domain data, but only from the
> perspective of any clients that happen to depend on you as their
> recursive resolver. Its all fine when the roots point to you for some
> domain, but then later if that domain is moved to a different set of
> nameservers, unless you also update your config to remove that domain,
> you are going to be serving incorrect dns data to all clients who use
> your resolver since it's still going off it's local notion of things and
> not refering those queries to the new servers. Typically what customers
> want, is to be able to set up their new hosting somewhere and get it all
> ready, and then do the switch with their name registrar, and then later
> once they are satisfied it's all working, then they call you to
> cancel/delete the domain in question.  Sometimes they are real slow
> about this. Sometimes they never tell you at all. So even if you are
> very proactive and handle these updates as they are requested, you may
> never get the request or at least not in a timely fashion.
>      Both powerdns server and powerdns recursor have settings to specify
> which ip addresses to listen on, which allows them to co-exist on the
> same machine just fine. Your problem with the master not pushing to the
> slave is that the slave server isnt' seeing the dns notify from the
> master. In the config you are proposing above, the reason is that by
> default the master will send to the slave on port 53, which I think you
> have as your resolver. In special applications, sure, you can override
> this too. But simply having 2 ip's at each site will resolve this too as
> well as other issues. The settings you want are 'local-address'.
In my case, this is for internal use only.

Currently, I have a authoritative server and a recursor in each 
datacenter and this is working fine.

So my initial question is answered. I need a seperate server or a 
different IP address to bind the authoritative server and the recursor.


More information about the Pdns-users mailing list