Re: [Pdns-users] zone forwarding in 4.0.6

Tue, 05 Apr 2022 00:45:32 -0700 

On 04/04/2022 23:57, Brian Lehnhardt via Pdns-users wrote:



It seems like this should just work, but perhaps I am missing 
something. I'm using an older version of pdns as you can see from my 
config, and I can't seem to find any documentation on this older 
version. Any idea what I'm doing wrong here?



Indeed you are using a very old, unsupported version:

https://doc.powerdns.com/authoritative/appendices/EOL.html
https://doc.powerdns.com/recursor/appendices/EOL.html


When you do migrate to supported versions, note that authoritative and 
recursor have now been fully split: the authoritative server since 4.1.0 
cannot do any recursion at all (*).  There are some migration options in 
this article:


https://doc.powerdns.com/authoritative/guides/recursion.html


If you really, really need a single IP address to respond to both 
authoritative and recursive queries, then it's possible to put dnsdist 
in front of them both.  However I would suggest that you split them 
properly:


- bind pdns-recursor to one IP address

- bind pdns-auth to another IP address (or put it in its own VM or 
container)



You then configure your end clients to point to the recursor, and your 
NS records point to the authoritative server.



You can still forward queries from pdns-recursor to pdns-auth, e.g. for 
private zones.  Depending on whether the parent domain has DNSSEC 
enabled, you may need to set a Negative Trust Anchor for the subdomain.



So to do what you're want with modern powerdns, you need to swap the 
roles around: clients must send their queries to the recursor, not the 
authoritative server.  Hence you could bind the recursor to port 53, and 
auth to 5353 - as long as no external queries arrive at the auth server 
(i.e. it's completely private, no NS records point at it).


Regards,

Brian.


(*) pdns-auth can still make use of a resolver 
<https://doc.powerdns.com/authoritative/settings.html#resolver> but this 
is only for when it needs to resolve things for itself, like ALIAS records.

_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users






















					Reply via email to