[Pdns-users] How to make Authoritative work?
b.candler at pobox.com
Tue Jan 18 14:49:50 UTC 2022
On 18/01/2022 14:38, jrd-pdns at jrd.org wrote:
> . . . but when I query direct to the pdns, it also doesn't say it's
> authoritative. See previous mail.
Sorry, I missed that mail. Did you send a dig directly to port 5300? I
didn't catch that.
> I probably need to go back and re-read the DNS specs. It's been years
> since I was deep into this, but I don't remember that a recursor
> always returns non-authoritative, even when wherever it got the answer
> was authoritative. Did that behaviour change somewhere along in
I don't think it's changed, although bind may have performed in an odd
way (e.g. returning AA for the first answer from cache, non-AA for
Even from the very oldest spec, RFC1035:
AA Authoritative Answer - this bit is valid in responses,
and specifies that*the responding name server is an authority for the domain name in
A recursor is not an authority for the name.
> Assuming I'm simply mis-remembering how that's supposed to work,
> what's the recipe for setting up a local (set of) server(s) which:
> . Returns authoritative for some zones, for which it has local data
> . Recurses to other servers for other zones
You Really Don't Want To Do That™.
If you think you must (and continue to use powerdns), then you can look
at putting dnsdist in front of pdns-auth and pdns-recursor. But really,
really you don't. Just give your cache(s) their own IP addresses, and
your authoritative server(s) their own IP addresses. This is how DNS is
supposed to work.
The only reason I can think of for not doing that is that you need to
share a single public IP address between recursor and authoritative; but
then you might as well just put your recursor behind NAT. Either way,
it doesn't scale, and pdns is designed for ISP-scale deployments.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users