[Pdns-users] zone forwarding in 4.0.6
Brian Candler
b.candler at pobox.com
Tue Apr 5 07:45:11 UTC 2022
On 04/04/2022 23:57, Brian Lehnhardt via Pdns-users wrote:
>
> It seems like this should just work, but perhaps I am missing
> something. I'm using an older version of pdns as you can see from my
> config, and I can't seem to find any documentation on this older
> version. Any idea what I'm doing wrong here?
>
Indeed you are using a very old, unsupported version:
https://doc.powerdns.com/authoritative/appendices/EOL.html
https://doc.powerdns.com/recursor/appendices/EOL.html
When you do migrate to supported versions, note that authoritative and
recursor have now been fully split: the authoritative server since 4.1.0
cannot do any recursion at all (*). There are some migration options in
this article:
https://doc.powerdns.com/authoritative/guides/recursion.html
If you really, really need a single IP address to respond to both
authoritative and recursive queries, then it's possible to put dnsdist
in front of them both. However I would suggest that you split them
properly:
- bind pdns-recursor to one IP address
- bind pdns-auth to another IP address (or put it in its own VM or
container)
You then configure your end clients to point to the recursor, and your
NS records point to the authoritative server.
You can still forward queries from pdns-recursor to pdns-auth, e.g. for
private zones. Depending on whether the parent domain has DNSSEC
enabled, you may need to set a Negative Trust Anchor for the subdomain.
So to do what you're want with modern powerdns, you need to swap the
roles around: clients must send their queries to the recursor, not the
authoritative server. Hence you could bind the recursor to port 53, and
auth to 5353 - as long as no external queries arrive at the auth server
(i.e. it's completely private, no NS records point at it).
Regards,
Brian.
(*) pdns-auth can still make use of a resolver
<https://doc.powerdns.com/authoritative/settings.html#resolver> but this
is only for when it needs to resolve things for itself, like ALIAS records.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220405/6057e96b/attachment.htm>
More information about the Pdns-users
mailing list