[Pdns-users] Hidden Master, Dynamic IPv4, IPv6 Privacy

[Brian Candler]

On 27/03/2020 16:23, Matthew Monaco via Pdns-users wrote:
> What is PDNS protecting me from by requiring that the slave keeps a 
> list of master IPs in the `domains` table?

Notifies are optional and unreliable, so they can't be depended on.

By design, slaves contact the master periodically, to check that they 
have the up-to-date data: they query the SOA serial number and check to 
see if it has increased on the master, and if so, perform an AXFR.  The 
interval at which they perform this check is controlled by the SOA - 
actually two fields, one for normal retry interval and one for retry 
after failure.

The master field in the SOA record is not used for zone transfers - it's 
really just an FYI field as a hint when debugging. Consider that you can 
have a chain of master -> slave1 -> slave2, and slave1/slave2 need to be 
configured differently to point to their respective upstream.  Nor is 
the source IP address of a notify, should it arrive, used as the master 
address.

You say you are already doing dynamic DNS updates for the master's 
A/AAAA records.  I don't know if powerdns supports resolving a hostname 
for the master (I'm pretty sure BIND only allows IP addresses).  However 
you could write a script which resolves the master's DDNS name every 5 
minutes or whatever, and then updates the IP address in the domains table.

HTH,

Brian.