[Pdns-users] Hidden Master, Dynamic IPv4, IPv6 Privacy
klaus.darilion at nic.at
Fri Mar 27 19:41:26 UTC 2020
DNS Master/Slave was not designed for dynamic IP addresses. As a workaround you could use some overlay whoch provides a static IP (OpenVPN, stunnel, ssh tunnels, ...)
Gesendet über BlackBerry Work (www.blackberry.com)
Von: Matthew Monaco via Pdns-users <pdns-users at mailman.powerdns.com>
Gesendet: 27.03.2020 17:24
An: pdns-users at mailman.powerdns.com
Betreff: [Pdns-users] Hidden Master, Dynamic IPv4, IPv6 Privacy
What is PDNS protecting me from by requiring that the slave keeps a list of master IPs in the `domains` table? I think what I would like is for notifies to be allowed from any address, to rely on TSIG to protect AXFRs, and to use the SOA NS record for polling -- of course I'm wrong, I just don't know why yet :)
I have what I assume is a not too uncommon setup. I keep my master at home because 1) I only have a dynamic IPv4 address and 2) I want to keep my DNSSEC root close. The slaves are at more-stable cloud providers with static IPv4 and IPv6 and are the ones listed with my registrar. All instances are using the sqlite backend and are recent (4.2.1). So the outbound address from my master is:
- From a dynamic IPv4 address
- From a IPv6 prefix which should be stable but does change sometimes in practice
- And/or from an IPv6 privacy-extension address with a limited lifetime.
Right now my workaround is to disable IPv6 privacy on the master, hope that my IPv4 and IPv6 prefixes change at different times, and run a script on the slaves to `change-slave-zone-master` based on the NS records for the master that are on the slave. Not part of the workaround is that I run a script near the master which uses rfc2136 to keep the master's A/AAAA records up to date.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users