[Pdns-users] PowerDNS with Hidden master + MySQL replication in various scenarios

Chris Wopat me at falz.net
Mon Jul 26 14:55:40 UTC 2021


Hi folks,

I'm working on a project standing up new DNS servers using PowerDNS
instead of bind. Various reasons to switch, but more or less this
seems a lot more operator friendly with API and whatnot.

Anyhow, the 'legacy' system has 3 servers - adns0, adns1, adns2. 0 is
hidden master and is where all changes are made. In this current
system, 1 and 2 get updated with some scripts that manually push zone
files, including named.conf, from 0 to the other servers.

In our new system, we're looking to also have 3 servers with a hidden
master - ns0, ns1, ns2. They're setup using MySQL replication where
ns0 is the primary and ns1/ns2 are the replicas (slaves). On the
replicas, we have pdns MySQL auth set to read only to ensure it only
can read from db. We also have secondary=no on these servers.

No domains should have 'ns0' listed on whois or NS records, but it
will be the SOA MNAME in any case that we're primary (1 and 2 below)

Anyhow, we have at least 3 scenarios of domains we host.

1) NS1/NS2 are authoritative + only things listed on whois. We'd edit
records on NS0, which are sql replicated across NS0/1/2. This should
be fine as is with zones set to NATIVE.

No questions here as this seems like standard operating, but please
chime in if something seems off.


2) Just like item 1), BUT the domain also has a few other nameservers
are listed as NS/whois that we do not control.
(ns1/ns2/someoneelse1/someoneelse2). I presume these should be set to
type PRIMARY and primary=yes be in our pdns conf on ns1/ns2 (but not
ns0?).

Question: which nameservers send notify in this case? We'd only want
ns1 and ns2 to do so, hence primary=yes. Does this seem correct?


3) We're secondary-only to a primary server we don't manage. In our
current situation, legacy servers adns1/adns2 perform the AXFR. In the
new scenario, we want this to be hidden master ns0 and NOT ns1/ns2,
because of database read only. ns0 pdns.conf gets secondary=yes,
ns1/ns2 do not.

Question: Will this even function if ns0 isn't listed on NS
records/whois? If not, am i forced to have all 3 servers be able to
write to the replicated DB? This seems like either it wouldn't work at
all or would cause issues over time.


Thanks!


More information about the Pdns-users mailing list