[Pdns-users] How to make Authoritative work?

Brian Candler b.candler at pobox.com
Tue Jan 18 14:49:50 UTC 2022 

On 18/01/2022 14:38, jrd-pdns at jrd.org wrote:
> . . . but when I query direct to the pdns, it also doesn't say it's
> authoritative.  See previous mail.

Sorry, I missed that mail.  Did you send a dig directly to port 5300?  I 
didn't catch that.

> I probably need to go back and re-read the DNS specs.  It's been years
> since I was deep into this, but I don't remember that a recursor
> always returns non-authoritative, even when wherever it got the answer
> was authoritative.  Did that behaviour change somewhere along in
> there?

I don't think it's changed, although bind may have performed in an odd 
way (e.g. returning AA for the first answer from cache, non-AA for 
subsequent)

Even from the very oldest spec, RFC1035:

AA              Authoritative Answer - this bit is valid in responses,
                 and specifies that*the responding name server is an authority for the domain name in 
question section*.

A recursor is not an authority for the name.

> Assuming I'm simply mis-remembering how that's supposed to work,
> what's the recipe for setting up a local (set of) server(s) which:
>    .  Returns authoritative for some zones, for which it has local data
>    .  Recurses to other servers for other zones

You Really Don't Want To Do That™.

If you think you must (and continue to use powerdns), then you can look 
at putting dnsdist in front of pdns-auth and pdns-recursor.  But really, 
really you don't.  Just give your cache(s) their own IP addresses, and 
your authoritative server(s) their own IP addresses.  This is how DNS is 
supposed to work.

The only reason I can think of for not doing that is that you need to 
share a single public IP address between recursor and authoritative; but 
then you might as well just put your recursor behind NAT.  Either way, 
it doesn't scale, and pdns is designed for ISP-scale deployments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220118/90ac6c6e/attachment.htm>

More information about the Pdns-users mailing list