[Pdns-users] How to make Authoritative work?

jrd-pdns at jrd.org jrd-pdns at jrd.org
Tue Jan 18 15:03:44 UTC 2022

Ok, fair enough.  I get that I'm doing something slightly outside the
box, though it didn't seem to me that it was *that* far outside :)  I
probably am thinking of bind days, bad on me.

Let's get back to my original question:  How do I get pdns, with no
recursor in the picture, to believe that it's authoritative for a zone?
When I it hit with a query, I get

root at f3-kong-dyndns /etc/powerdns # dig -p 5300 jrd.org soa @localhost

; <<>> DiG 9.16.22 <<>> -p 5300 jrd.org soa @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37408
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 1232
;jrd.org.			IN	SOA

jrd.org.		86400	IN	SOA	f3-kong-dyndns.jrd.org. postmaster.jrd.org. 2022010900 10800 3600 3600000 86400

;; Query time: 10 msec
;; SERVER: ::1#5300(::1)
;; WHEN: Tue Jan 18 08:54:01 EST 2022
;; MSG SIZE  rcvd: 98

I posted previously the pdns config and the stuff in the DB which
pertains to jrd.org.  I must be missing something that my pdns is
looking for, but it's not clear to me what.

    From: Brian Candler <b.candler at pobox.com>
    Date: Tue, 18 Jan 2022 14:49:50 +0000
    On 18/01/2022 14:38, jrd-pdns at jrd.org wrote:
        . . . but when I query direct to the pdns, it also doesn't say it's
        authoritative.  See previous mail.
    Sorry, I missed that mail.  Did you send a dig directly to port 5300?  I
    didn't catch that.
        I probably need to go back and re-read the DNS specs.  It's been years
        since I was deep into this, but I don't remember that a recursor
        always returns non-authoritative, even when wherever it got the answer
        was authoritative.  Did that behaviour change somewhere along in
    I don't think it's changed, although bind may have performed in an odd way
    (e.g. returning AA for the first answer from cache, non-AA for subsequent)
    Even from the very oldest spec, RFC1035:
    AA              Authoritative Answer - this bit is valid in responses,
                    and specifies that the responding name server is an
                    authority for the domain name in question section.
    A recursor is not an authority for the name.
        Assuming I'm simply mis-remembering how that's supposed to work,
        what's the recipe for setting up a local (set of) server(s) which:
          .  Returns authoritative for some zones, for which it has local data
          .  Recurses to other servers for other zones
    You Really Don't Want To Do That™.
    If you think you must (and continue to use powerdns), then you can look at
    putting dnsdist in front of pdns-auth and pdns-recursor.  But really, really
    you don't.  Just give your cache(s) their own IP addresses, and your
    authoritative server(s) their own IP addresses.  This is how DNS is supposed
    to work.
    The only reason I can think of for not doing that is that you need to share a
    single public IP address between recursor and authoritative; but then you
    might as well just put your recursor behind NAT.  Either way, it doesn't
    scale, and pdns is designed for ISP-scale deployments.

More information about the Pdns-users mailing list