[Pdns-users] How to make Authoritative work?
jrd-pdns at jrd.org
jrd-pdns at jrd.org
Tue Jan 18 15:03:44 UTC 2022
Ok, fair enough. I get that I'm doing something slightly outside the
box, though it didn't seem to me that it was *that* far outside :) I
probably am thinking of bind days, bad on me.
Let's get back to my original question: How do I get pdns, with no
recursor in the picture, to believe that it's authoritative for a zone?
When I it hit with a query, I get
root at f3-kong-dyndns /etc/powerdns # dig -p 5300 jrd.org soa @localhost
; <<>> DiG 9.16.22 <<>> -p 5300 jrd.org soa @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37408
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;jrd.org. IN SOA
;; ANSWER SECTION:
jrd.org. 86400 IN SOA f3-kong-dyndns.jrd.org. postmaster.jrd.org. 2022010900 10800 3600 3600000 86400
;; Query time: 10 msec
;; SERVER: ::1#5300(::1)
;; WHEN: Tue Jan 18 08:54:01 EST 2022
;; MSG SIZE rcvd: 98
I posted previously the pdns config and the stuff in the DB which
pertains to jrd.org. I must be missing something that my pdns is
looking for, but it's not clear to me what.
From: Brian Candler <b.candler at pobox.com>
Date: Tue, 18 Jan 2022 14:49:50 +0000
On 18/01/2022 14:38, jrd-pdns at jrd.org wrote:
. . . but when I query direct to the pdns, it also doesn't say it's
authoritative. See previous mail.
Sorry, I missed that mail. Did you send a dig directly to port 5300? I
didn't catch that.
I probably need to go back and re-read the DNS specs. It's been years
since I was deep into this, but I don't remember that a recursor
always returns non-authoritative, even when wherever it got the answer
was authoritative. Did that behaviour change somewhere along in
there?
I don't think it's changed, although bind may have performed in an odd way
(e.g. returning AA for the first answer from cache, non-AA for subsequent)
Even from the very oldest spec, RFC1035:
AA Authoritative Answer - this bit is valid in responses,
and specifies that the responding name server is an
authority for the domain name in question section.
A recursor is not an authority for the name.
Assuming I'm simply mis-remembering how that's supposed to work,
what's the recipe for setting up a local (set of) server(s) which:
. Returns authoritative for some zones, for which it has local data
. Recurses to other servers for other zones
You Really Don't Want To Do That™.
If you think you must (and continue to use powerdns), then you can look at
putting dnsdist in front of pdns-auth and pdns-recursor. But really, really
you don't. Just give your cache(s) their own IP addresses, and your
authoritative server(s) their own IP addresses. This is how DNS is supposed
to work.
The only reason I can think of for not doing that is that you need to share a
single public IP address between recursor and authoritative; but then you
might as well just put your recursor behind NAT. Either way, it doesn't
scale, and pdns is designed for ISP-scale deployments.
More information about the Pdns-users
mailing list