Re: [Pdns-users] dnssec and lua-config--file

Wed, 13 May 2020 00:44:18 -0700 

On 13/05/2020 08:18, Pierrick CHOVELON via Pdns-users wrote:



Now, let's imagine I want to resolve foo.example.net 
<http://foo.example.net> and also bar.example.net 
<http://bar.example.net>.



Do I have to create two zone files one for foo.example.net 
<http://foo.example.net> and one for bar.example.net 
<http://bar.example.net>) like I did previously ? or is it possible to 
have a single one file (example.net <http://example.net>) in which I 
add the two records ?

In that case, will it have some issue with others records ?


Pdns separates the recursor and authoritate server roles.


At the recursor, you will need forward rules for foo.example.net and 
bar.example.net pointing to your authoritative server, which is 
providing the fake/non-public data for foo.example.net and 
bar.example.net.  "forward-zones-file" is the easiest way to do that.



At the authoritative server, I'd say it's least confusing if you also 
create separate zones for foo.example.net and bar.example.net.  However 
you *could* make it authoritative for example.net (or .net, or even the 
entire DNS root).  If it's private auth DNS, and it's not going to be 
receiving delegated queries from anyone else on the Internet, it doesn't 
matter.



Are you trying to mix in individual private hosts to a public domain?  
The way I prefer to handle this is to have a single domain for private 
DNS, e.g. int.example.net, and put everything under there - 
foo.int.example.net, bar.int.example.net.  It's a lot cleaner, less work 
to manage, and less opportunity for mistakes.



Also, in the public DNS I put an NS record for int.example.net pointing 
to a separate public-facing DNS server with an empty zone file for 
int.example.net.  This server permits dynamic DNS updates from my 
internal machines - I use it for responding to dns01 challenges for 
LetsEncrypt certificates.  This means internal machines can have valid 
certificates, even though foo.int.example.net is not reachable from the 
public Internet, and its address is not visible in the public DNS either.


Regards,

Brian.


_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users






















					Reply via email to