[Pdns-users] pdns + recursor + master / slave

Sun Feb 2 22:51:20 UTC 2020

On 2/2/20 2:17 PM, Stef Coene wrote:
> On 2020-02-02 18:43, Mike wrote:
>> On 2/1/20 9:13 AM, Stef Coene wrote:
>>      Typically, what you really want, is to separate the functions of
>> 'authoritative server' and 'recursive resolver', which means that each
>> are handled on separate IP addresses.  Bind did/does allow this setup
>> and has extensive access controls to sort of make it work, but from an
>> operational perspective, it's a really bad idea. The essential reason is
>> that combining these functions means that you are essentially overriding
>> the internet roots with respect to your domain data, but only from the
>> perspective of any clients that happen to depend on you as their
>> recursive resolver. Its all fine when the roots point to you for some
>> domain, but then later if that domain is moved to a different set of
>> nameservers, unless you also update your config to remove that domain,
>> you are going to be serving incorrect dns data to all clients who use
>> your resolver since it's still going off it's local notion of things and
>> not refering those queries to the new servers. Typically what customers
>> want, is to be able to set up their new hosting somewhere and get it all
>> ready, and then do the switch with their name registrar, and then later
>> once they are satisfied it's all working, then they call you to
>> cancel/delete the domain in question.  Sometimes they are real slow
>> about this. Sometimes they never tell you at all. So even if you are
>> very proactive and handle these updates as they are requested, you may
>> never get the request or at least not in a timely fashion.
>>
>>      Both powerdns server and powerdns recursor have settings to specify
>> which ip addresses to listen on, which allows them to co-exist on the
>> same machine just fine. Your problem with the master not pushing to the
>> slave is that the slave server isnt' seeing the dns notify from the
>> master. In the config you are proposing above, the reason is that by
>> default the master will send to the slave on port 53, which I think you
>> have as your resolver. In special applications, sure, you can override
>> this too. But simply having 2 ip's at each site will resolve this too as
>> well as other issues. The settings you want are 'local-address'.
> In my case, this is for internal use only.
>
> Currently, I have a authoritative server and a recursor in each
> datacenter and this is working fine.
>
> So my initial question is answered. I need a seperate server or a
> different IP address to bind the authoritative server and the recursor. 


Well, if you truely are 'internal use only' - meaning you are serving
your own zones which are not connected in any way to the internet roots
- then sure.  Your original scenario can work if having more than 1 ip
per host is an issue - you could set the authoratative server to use
port 5300; the bug in your original is that you did this but didn't
configure the updates to go to same, which I think requires per-zone
metadata to be set.


Mike-