[Pdns-users] How to make Authoritative work?
jrd-pdns at jrd.org
jrd-pdns at jrd.org
Tue Jan 18 15:03:44 UTC 2022
Ok, fair enough. I get that I'm doing something slightly outside the
box, though it didn't seem to me that it was *that* far outside :) I
probably am thinking of bind days, bad on me.
Let's get back to my original question: How do I get pdns, with no
recursor in the picture, to believe that it's authoritative for a zone?
When I it hit with a query, I get
root at f3-kong-dyndns /etc/powerdns # dig -p 5300 jrd.org soa @localhost
; <<>> DiG 9.16.22 <<>> -p 5300 jrd.org soa @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37408
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;jrd.org. IN SOA
;; ANSWER SECTION:
jrd.org. 86400 IN SOA f3-kong-dyndns.jrd.org. postmaster.jrd.org. 2022010900 10800 3600 3600000 86400
;; Query time: 10 msec
;; SERVER: ::1#5300(::1)
;; WHEN: Tue Jan 18 08:54:01 EST 2022
;; MSG SIZE rcvd: 98
I posted previously the pdns config and the stuff in the DB which
pertains to jrd.org. I must be missing something that my pdns is
looking for, but it's not clear to me what.
From: Brian Candler <b.candler at pobox.com>
Date: Tue, 18 Jan 2022 14:49:50 +0000
On 18/01/2022 14:38, jrd-pdns at jrd.org wrote:
. . . but when I query direct to the pdns, it also doesn't say it's
authoritative. See previous mail.
Sorry, I missed that mail. Did you send a dig directly to port 5300? I
didn't catch that.
I probably need to go back and re-read the DNS specs. It's been years
since I was deep into this, but I don't remember that a recursor
always returns non-authoritative, even when wherever it got the answer
was authoritative. Did that behaviour change somewhere along in
I don't think it's changed, although bind may have performed in an odd way
(e.g. returning AA for the first answer from cache, non-AA for subsequent)
Even from the very oldest spec, RFC1035:
AA Authoritative Answer - this bit is valid in responses,
and specifies that the responding name server is an
authority for the domain name in question section.
A recursor is not an authority for the name.
Assuming I'm simply mis-remembering how that's supposed to work,
what's the recipe for setting up a local (set of) server(s) which:
. Returns authoritative for some zones, for which it has local data
. Recurses to other servers for other zones
You Really Don't Want To Do That™.
If you think you must (and continue to use powerdns), then you can look at
putting dnsdist in front of pdns-auth and pdns-recursor. But really, really
you don't. Just give your cache(s) their own IP addresses, and your
authoritative server(s) their own IP addresses. This is how DNS is supposed
The only reason I can think of for not doing that is that you need to share a
single public IP address between recursor and authoritative; but then you
might as well just put your recursor behind NAT. Either way, it doesn't
scale, and pdns is designed for ISP-scale deployments.
More information about the Pdns-users