On 2/2/20 2:17 PM, Stef Coene wrote: > On 2020-02-02 18:43, Mike wrote: >> On 2/1/20 9:13 AM, Stef Coene wrote: >> Typically, what you really want, is to separate the functions of >> 'authoritative server' and 'recursive resolver', which means that each >> are handled on separate IP addresses. Bind did/does allow this setup >> and has extensive access controls to sort of make it work, but from an >> operational perspective, it's a really bad idea. The essential reason is >> that combining these functions means that you are essentially overriding >> the internet roots with respect to your domain data, but only from the >> perspective of any clients that happen to depend on you as their >> recursive resolver. Its all fine when the roots point to you for some >> domain, but then later if that domain is moved to a different set of >> nameservers, unless you also update your config to remove that domain, >> you are going to be serving incorrect dns data to all clients who use >> your resolver since it's still going off it's local notion of things and >> not refering those queries to the new servers. Typically what customers >> want, is to be able to set up their new hosting somewhere and get it all >> ready, and then do the switch with their name registrar, and then later >> once they are satisfied it's all working, then they call you to >> cancel/delete the domain in question. Sometimes they are real slow >> about this. Sometimes they never tell you at all. So even if you are >> very proactive and handle these updates as they are requested, you may >> never get the request or at least not in a timely fashion. >> >> Both powerdns server and powerdns recursor have settings to specify >> which ip addresses to listen on, which allows them to co-exist on the >> same machine just fine. Your problem with the master not pushing to the >> slave is that the slave server isnt' seeing the dns notify from the >> master. In the config you are proposing above, the reason is that by >> default the master will send to the slave on port 53, which I think you >> have as your resolver. In special applications, sure, you can override >> this too. But simply having 2 ip's at each site will resolve this too as >> well as other issues. The settings you want are 'local-address'. > In my case, this is for internal use only. > > Currently, I have a authoritative server and a recursor in each > datacenter and this is working fine. > > So my initial question is answered. I need a seperate server or a > different IP address to bind the authoritative server and the recursor.
Well, if you truely are 'internal use only' - meaning you are serving your own zones which are not connected in any way to the internet roots - then sure. Your original scenario can work if having more than 1 ip per host is an issue - you could set the authoratative server to use port 5300; the bug in your original is that you did this but didn't configure the updates to go to same, which I think requires per-zone metadata to be set. Mike- _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users