On 2020-02-02 18:43, Mike wrote:
On 2/1/20 9:13 AM, Stef Coene wrote:
Typically, what you really want, is to separate the functions of
'authoritative server' and 'recursive resolver', which means that each
are handled on separate IP addresses. Bind did/does allow this setup
and has extensive access controls to sort of make it work, but from an
operational perspective, it's a really bad idea. The essential reason is
that combining these functions means that you are essentially overriding
the internet roots with respect to your domain data, but only from the
perspective of any clients that happen to depend on you as their
recursive resolver. Its all fine when the roots point to you for some
domain, but then later if that domain is moved to a different set of
nameservers, unless you also update your config to remove that domain,
you are going to be serving incorrect dns data to all clients who use
your resolver since it's still going off it's local notion of things and
not refering those queries to the new servers. Typically what customers
want, is to be able to set up their new hosting somewhere and get it all
ready, and then do the switch with their name registrar, and then later
once they are satisfied it's all working, then they call you to
cancel/delete the domain in question. Sometimes they are real slow
about this. Sometimes they never tell you at all. So even if you are
very proactive and handle these updates as they are requested, you may
never get the request or at least not in a timely fashion.
Both powerdns server and powerdns recursor have settings to specify
which ip addresses to listen on, which allows them to co-exist on the
same machine just fine. Your problem with the master not pushing to the
slave is that the slave server isnt' seeing the dns notify from the
master. In the config you are proposing above, the reason is that by
default the master will send to the slave on port 53, which I think you
have as your resolver. In special applications, sure, you can override
this too. But simply having 2 ip's at each site will resolve this too as
well as other issues. The settings you want are 'local-address'.
In my case, this is for internal use only.
Currently, I have a authoritative server and a recursor in each
datacenter and this is working fine.
So my initial question is answered. I need a seperate server or a
different IP address to bind the authoritative server and the recursor.
Stef
_______________________________________________
Pdns-users mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
