[Pdns-users] dnssec and lua-config--file
b.candler at pobox.com
Wed May 13 07:43:19 UTC 2020
On 13/05/2020 08:18, Pierrick CHOVELON via Pdns-users wrote:
> Now, let's imagine I want to resolve foo.example.net
> <http://foo.example.net> and also bar.example.net
> Do I have to create two zone files one for foo.example.net
> <http://foo.example.net> and one for bar.example.net
> <http://bar.example.net>) like I did previously ? or is it possible to
> have a single one file (example.net <http://example.net>) in which I
> add the two records ?
> In that case, will it have some issue with others records ?
Pdns separates the recursor and authoritate server roles.
At the recursor, you will need forward rules for foo.example.net and
bar.example.net pointing to your authoritative server, which is
providing the fake/non-public data for foo.example.net and
bar.example.net. "forward-zones-file" is the easiest way to do that.
At the authoritative server, I'd say it's least confusing if you also
create separate zones for foo.example.net and bar.example.net. However
you *could* make it authoritative for example.net (or .net, or even the
entire DNS root). If it's private auth DNS, and it's not going to be
receiving delegated queries from anyone else on the Internet, it doesn't
Are you trying to mix in individual private hosts to a public domain?
The way I prefer to handle this is to have a single domain for private
DNS, e.g. int.example.net, and put everything under there -
foo.int.example.net, bar.int.example.net. It's a lot cleaner, less work
to manage, and less opportunity for mistakes.
Also, in the public DNS I put an NS record for int.example.net pointing
to a separate public-facing DNS server with an empty zone file for
int.example.net. This server permits dynamic DNS updates from my
internal machines - I use it for responding to dns01 challenges for
LetsEncrypt certificates. This means internal machines can have valid
certificates, even though foo.int.example.net is not reachable from the
public Internet, and its address is not visible in the public DNS either.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users