[Pdns-users] Planning a PowerDNS Auth Server Upgrade - 3.3.3 > Latest
charlieredd007 at gmail.com
Tue Apr 6 12:01:34 UTC 2021
I found out that our app using powerdns is woefully out of date. We are
running v. 3.3.3. Ouch, EOL'd 2017. I understand from reading the auth
upgrade notes and doc that the path to upgrade looks something like 3.3.3 >
3.4.2 > 4.0.0 > latest. But really, this is an upgrade in database schemas
plus install/config of the latest pdns-auth server? I know I'm simplifying
it here, highly.
A couple questions if anyone has had the pleasure of upgrading such an
aging setup. I am just trying to short circuit going down some deep rabbit
holes if there are already known issues I need to combat.
1. Will my existing authoritative nodes still run as they do today with the
updated schemas? Looking at the changes, it appears they might, but, I'm
not quite familiar enough with the inner workings of pdns-auth servers to
know for sure. If there is a doc someone can point me to I would
2. We don't actually hit a primary powerdns api server. We write directly
to the database the records we want. I find this less than ideal, and is a
ticking time bomb for more issues. This is going to be a change in a future
update is the plan. In the meantime, is keeping this method going to cause
us any major issues? It looks like some of the db record types are changed
from a generic field to something specific. I see this as a potential
avenue of pain, but, I'm not sure what else there may be.
3. Here is my rough plan I have come up with so far. I have a lot of
testing I need to do. We'll freeze record updates and do a change window,
so we can update schemas, roll changes, test.
- Build a fresh set of nameservers that is going to take over the existing
ones, that are on a current os, running latest mariadb, and latest
powerdns. This seems like the easy way to revert back should we need to so
I'm not scrambling to deal with servers and software, but just rolling my
- Get those new nodes replicating off of our primary server. Up to this
point, I expect pdns to not start or run yet.
- Implement the new schema / roll any code updates for our side needed to
play with the updated schemas. At this point the new nodes should be able
to start. I'm hoping my old nodes are still running as normal to answer
- Switch our records to point to the new auth servers away from the old
ones. This seems like the most graceful way to cut over without causing end
- Never let our setup get this far out of date again, as this is much more
complicated that I think it ought to be.
What other obvious things am I missing? What else should I be looking at /
better understanding? Any war stories / horror stories would also be
appreciated in hopes of not repeating history. Any other suggestions
besides making sure I have a good bottle of bourbon handy?
Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users