[Pdns-users] Hidden Master, Dynamic IPv4, IPv6 Privacy

Matthew Monaco matt at monaco.cx
Fri Mar 27 16:23:34 UTC 2020


What is PDNS protecting me from by requiring that the slave keeps a list of
master IPs in the `domains` table? I think what I would like is for
notifies to be allowed from any address, to rely on TSIG to protect AXFRs,
and to use the SOA NS record for polling -- of course I'm wrong, I just
don't know why yet :)

I have what I assume is a not too uncommon setup. I keep my master at home
because 1) I only have a dynamic IPv4 address and 2) I want to keep my
DNSSEC root close. The slaves are at more-stable cloud providers with
static IPv4 and IPv6 and are the ones listed with my registrar. All
instances are using the sqlite backend and are recent (4.2.1). So the
outbound address from my master is:

 - From a dynamic IPv4 address
 - From a IPv6 prefix which should be stable but does change sometimes in
 - And/or from an IPv6 privacy-extension address with a limited lifetime.

Right now my workaround is to disable IPv6 privacy on the master, hope that
my IPv4 and IPv6 prefixes change at different times, and run a script on
the slaves to `change-slave-zone-master` based on the NS records for the
master that are on the slave. Not part of the workaround is that I run a
script near the master which uses rfc2136 to keep the master's A/AAAA
records up to date.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200327/c237eb8d/attachment.htm>

More information about the Pdns-users mailing list