[Pdns-users] dnssec and lua-config--file

Brian Candler b.candler at pobox.com
Wed May 13 07:43:19 UTC 2020

On 13/05/2020 08:18, Pierrick CHOVELON via Pdns-users wrote:
> Now, let's imagine I want to resolve foo.example.net 
> <http://foo.example.net> and also bar.example.net 
> <http://bar.example.net>.
> Do I have to create two zone files one for foo.example.net 
> <http://foo.example.net> and one for bar.example.net 
> <http://bar.example.net>) like I did previously ? or is it possible to 
> have a single one file (example.net <http://example.net>) in which I 
> add the two records ?
> In that case, will it have some issue with others records ?

Pdns separates the recursor and authoritate server roles.

At the recursor, you will need forward rules for foo.example.net and 
bar.example.net pointing to your authoritative server, which is 
providing the fake/non-public data for foo.example.net and 
bar.example.net.  "forward-zones-file" is the easiest way to do that.

At the authoritative server, I'd say it's least confusing if you also 
create separate zones for foo.example.net and bar.example.net.  However 
you *could* make it authoritative for example.net (or .net, or even the 
entire DNS root).  If it's private auth DNS, and it's not going to be 
receiving delegated queries from anyone else on the Internet, it doesn't 

Are you trying to mix in individual private hosts to a public domain?  
The way I prefer to handle this is to have a single domain for private 
DNS, e.g. int.example.net, and put everything under there - 
foo.int.example.net, bar.int.example.net.  It's a lot cleaner, less work 
to manage, and less opportunity for mistakes.

Also, in the public DNS I put an NS record for int.example.net pointing 
to a separate public-facing DNS server with an empty zone file for 
int.example.net.  This server permits dynamic DNS updates from my 
internal machines - I use it for responding to dns01 challenges for 
LetsEncrypt certificates.  This means internal machines can have valid 
certificates, even though foo.int.example.net is not reachable from the 
public Internet, and its address is not visible in the public DNS either.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200513/6159846c/attachment-0001.htm>

More information about the Pdns-users mailing list