Re: [Pdns-users] PDNS Auth Zone Distribution in a Global Network?

[Klaus Darilion]

Am 29.06.2018 um 23:23 schrieb Anthony Eden:

Hello everyone,

I am considering moving some or all of DNSimple's authoritative DNS service 
back over to PowerDNS within the next 6 months, but before I do so, I'm hoping 
to get in touch with one or more folks from the PowerDNS community who operate 
authoritative DNS across multiple geographic regions.

We currently have POPs in San Jose, Chicago, Virginia, Amsterdam, Tokyo, and a 
new one coming online in Sydney. To distribute zone changes quickly (within 60 
seconds) from our Chicago data center we have a home grown zone distribution 
system where notifications are sent to a zone server within each data center, 
and that zone server in turn sends out a notice to every name server in its 
data center. Each name server then queries the zone server for the zone, and 
the zone server either pulls the zone from memcached and returns it to the name 
server, which caches it in memory, or the zone server queries our primary data 
store in Chicago to get the zone.

This system works, however as it is all home grown, it is difficult to maintain 
and enhance. I am interested in moving away from our custom solution to 
something off-the-shelf, and I'm looking for recommendations from other 
operators on what is working for you.

Thanks in advance for your time and your thoughts.


We use the postgresql backend and Slony replication to 36+ slaves 
worldwide. Pushing changes quickly depends on how big your system is 
(number of zones, zone changes). We relaxed the sync settings of slony 
to lower CPU ressources, but are usually within 30seconds. Delay of 
course mostly depends on your PowerDNS query-cache and packet-cache 
settings. Without caching the load on the DB is usually to high if you 
have plenty of queries (which we have).


But i am happy to have a DB-replication which ensures that slaves are in 
sync and we do not have to care about lost NOTIFYs.


Klaus

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Native setups and AXFR for external providers

[Klaus Darilion]

Am 21.06.2018 um 16:29 schrieb Eric Raymond:

We have two servers that manage our external zones,

ServerA is set to Native using gmysql backend and sits in an internal 
network, and replicates to ServerB in our DMZ.  We also would like to 
have a AXFR sent to notify our external DNS provider, but is it 
possible to send the transfer from the "replica" in the DMZ?


Thanks.


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


I think you can do this by using type=master instead of type=native, and 
then block NOTIFYs using "only-notify=" on serverA. Thenconfigure the 
respective also-notifys on server B.



Klaus

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS Auth Zone Distribution in a Global Network?

[Steve Atkins]

> On Jun 29, 2018, at 2:23 PM, Anthony Eden  wrote:
> 
> Hello everyone,
> 
> I am considering moving some or all of DNSimple's authoritative DNS service 
> back over to PowerDNS within the next 6 months, but before I do so, I'm 
> hoping to get in touch with one or more folks from the PowerDNS community who 
> operate authoritative DNS across multiple geographic regions.
> 
> We currently have POPs in San Jose, Chicago, Virginia, Amsterdam, Tokyo, and 
> a new one coming online in Sydney. To distribute zone changes quickly (within 
> 60 seconds) from our Chicago data center we have a home grown zone 
> distribution system where notifications are sent to a zone server within each 
> data center, and that zone server in turn sends out a notice to every name 
> server in its data center. Each name server then queries the zone server for 
> the zone, and the zone server either pulls the zone from memcached and 
> returns it to the name server, which caches it in memory, or the zone server 
> queries our primary data store in Chicago to get the zone.
> 
> This system works, however as it is all home grown, it is difficult to 
> maintain and enhance. I am interested in moving away from our custom solution 
> to something off-the-shelf, and I'm looking for recommendations from other 
> operators on what is working for you.
> 
> Thanks in advance for your time and your thoughts.

I've been using PowerDNS in several locations, east and west coast of the US, 
using a PostgreSQL backend and PostgreSQL logical replication. Updates are 
pushed out fast enough that I don't see any delay, typically less than a second.

If the database backend will handle your query load it's well worth considering.

Cheers,
  Steve
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Old 3.3.1-1 to 4.1.3 Authoritative and Recursor issue

[Steven Spencer]

On 07/02/2018 12:08 PM, Walter Parker wrote:
>
> On Mon, Jul 2, 2018 at 8:21 AM, Steven Spencer
> mailto:steven.spen...@kdsi.com>> wrote:
>
> Greetings,
>
> We have been using PowerDNS for a very long time. I've converted
> from several older versions to new ones and separated our recursor
> from our authoritative server about 6 years ago. We are also a
> small IT shop, so sometimes things get behind, which is where we
> are at the moment with PDNS.
>
> What I'm trying to get my mind around is the changes to how the
> recursive server communicates with the authoritative server. In an
> attempt to take our new servers live last night, our authoritative
> server would answer for domains that we are authoritative for, but
> would not answer for anything that required the recursor. The
> recursor, however, answered just fine for everything, but showed
> everything as a Non-authoritative answer, even for things that we
> are authoritative for. In reading the documents, I came across the
> *"Migrating from using recursion on the Authoritative Server to
> using a Recursor"
> *(https://doc.powerdns.com/authoritative/guides/recursion.html
> )
> article which I initially discounted, as we have, again, been
> running separate recursor's and authoritative servers for quite a
> few years. The removal of the ability to specify the recursor
> within the pdns.conf, seems to have changed the entire dynamic of
> the request/reply framework. (we used the recursor= to specify the
> recursor's address which resided on its own hardware). Up to this
> point, our authoritative server has had the publicly advertised
> DNS address, but if I'm reading this article correctly, it /looks/
> like we need to switch the recursor to run as the IP of what we
> have published as our DNS address. So, my questions are:
>
> * Is this the case, do I need to change my IP scheme so that the
> recursor(s) for our domain actually have the IP address of the
> published DNS servers?
>
> At the DNS register, add the host name of the authoritative server
> (which should be pointed at a separate IP address from the recursive
> server). The recursor IP address is not published as a name server.
> The recusor is added to /etc/resolv.conf and to the DHCP server as the
> local DNS server.
That server is already there and published and the recursor is already
separate as indicated
>
> * If so, is it OK that answers will show up on the recursor as
> non-authoritative even if we are indeed authoritative for the domain?
>
> Recursors are never authoritative in a split model. Only the
> authoritative server is (hence the name). The recusror looks up the
> DNS information at the authoritative (just like everyone else). You
> override the recursor to pull DNS directly from your 
> authoritative server, but hat is not required.
Which is what I assumed when I took this live last night and then backed
it out.
>
> * finally, does this adversely affect the way that the root DNS
> servers communicate with our zone?
>
> Root server don't communicate to you, they respond  to DNS requests as
> authoritative severs, just like any other authoritative server.
>
OK, so this is again what I assumed last night when I attempted to take
this live.

Walter, I appreciate your response. What I'm hearing is that the IP of
the authoritative server as already registered, should be correct with
no need to change it. The recursors would be used as local dns servers
(i.e., in your example /etc/resolv.conf), which if you are using your
own DNS currently on devices in your organization, would mean a
fork-lift upgrade to use the recursors instead. I'm also hearing that
querying your authoritative DNS for something that it is not
authoritative for, should in fact return refused.

As long as the recursor does return the correct information (as ours
did) can we assume that things are working? Is there a good way to make
sure that the authoritative server is properly configured before an
actual go-live? (testing methodology)

Thanks again for your response.
>
> Thanks in advance,
>
> -- 
> -- 
> Steven G. Spencer, Network Administrator
> KSC Corporate - The Kelly Supply Family of Companies
> Office 308-382-8764 Ext. 1131
> Mobile 402-765-8010 
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> 
>
>
> Walter
>
> -- 
> The greatest dangers to liberty lurk in insidious encroachment by
> men of zeal, well-meaning but without understanding.   -- Justice
> Louis D. Brandeis


-- 
-- 
Steven G. Spencer, Network Administrator
KSC 

Re: [Pdns-users] Old 3.3.1-1 to 4.1.3 Authoritative and Recursor issue

[Walter Parker]

On Mon, Jul 2, 2018 at 8:21 AM, Steven Spencer 
wrote:

> Greetings,
>
> We have been using PowerDNS for a very long time. I've converted from
> several older versions to new ones and separated our recursor from our
> authoritative server about 6 years ago. We are also a small IT shop, so
> sometimes things get behind, which is where we are at the moment with PDNS.
>
> What I'm trying to get my mind around is the changes to how the recursive
> server communicates with the authoritative server. In an attempt to take
> our new servers live last night, our authoritative server would answer for
> domains that we are authoritative for, but would not answer for anything
> that required the recursor. The recursor, however, answered just fine for
> everything, but showed everything as a Non-authoritative answer, even for
> things that we are authoritative for. In reading the documents, I came
> across the *"Migrating from using recursion on the Authoritative Server
> to using a Recursor" *(https://doc.powerdns.com/authoritative/guides/
> recursion.html) article which I initially discounted, as we have, again,
> been running separate recursor's and authoritative servers for quite a few
> years. The removal of the ability to specify the recursor within the
> pdns.conf, seems to have changed the entire dynamic of the request/reply
> framework. (we used the recursor= to specify the recursor's address which
> resided on its own hardware). Up to this point, our authoritative server
> has had the publicly advertised DNS address, but if I'm reading this
> article correctly, it /looks/ like we need to switch the recursor to run as
> the IP of what we have published as our DNS address. So, my questions are:
>
> * Is this the case, do I need to change my IP scheme so that the
> recursor(s) for our domain actually have the IP address of the published
> DNS servers?
>
At the DNS register, add the host name of the authoritative server (which
should be pointed at a separate IP address from the recursive server). The
recursor IP address is not published as a name server. The recusor is added
to /etc/resolv.conf and to the DHCP server as the local DNS server.

> * If so, is it OK that answers will show up on the recursor as
> non-authoritative even if we are indeed authoritative for the domain?
>
Recursors are never authoritative in a split model. Only the authoritative
server is (hence the name). The recusror looks up the DNS information at
the authoritative (just like everyone else). You override the recursor to
pull DNS directly from your  authoritative server, but hat is not required.

> * finally, does this adversely affect the way that the root DNS servers
> communicate with our zone?
>
Root server don't communicate to you, they respond  to DNS requests as
authoritative severs, just like any other authoritative server.

Thanks in advance,
>
> --
> --
> Steven G. Spencer, Network Administrator
> KSC Corporate - The Kelly Supply Family of Companies
> Office 308-382-8764 Ext. 1131
> Mobile 402-765-8010
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Old 3.3.1-1 to 4.1.3 Authoritative and Recursor issue

[Steven Spencer]

Greetings,

We have been using PowerDNS for a very long time. I've converted from
several older versions to new ones and separated our recursor from our
authoritative server about 6 years ago. We are also a small IT shop, so
sometimes things get behind, which is where we are at the moment with PDNS.

What I'm trying to get my mind around is the changes to how the
recursive server communicates with the authoritative server. In an
attempt to take our new servers live last night, our authoritative
server would answer for domains that we are authoritative for, but would
not answer for anything that required the recursor. The recursor,
however, answered just fine for everything, but showed everything as a
Non-authoritative answer, even for things that we are authoritative for.
In reading the documents, I came across the *"Migrating from using
recursion on the Authoritative Server to using a Recursor"
*(https://doc.powerdns.com/authoritative/guides/recursion.html) article
which I initially discounted, as we have, again, been running separate
recursor's and authoritative servers for quite a few years. The removal
of the ability to specify the recursor within the pdns.conf, seems to
have changed the entire dynamic of the request/reply framework. (we used
the recursor= to specify the recursor's address which resided on its own
hardware). Up to this point, our authoritative server has had the
publicly advertised DNS address, but if I'm reading this article
correctly, it /looks/ like we need to switch the recursor to run as the
IP of what we have published as our DNS address. So, my questions are:

* Is this the case, do I need to change my IP scheme so that the
recursor(s) for our domain actually have the IP address of the published
DNS servers?

* If so, is it OK that answers will show up on the recursor as
non-authoritative even if we are indeed authoritative for the domain?

* finally, does this adversely affect the way that the root DNS servers
communicate with our zone?

Thanks in advance,

-- 
-- 
Steven G. Spencer, Network Administrator
KSC Corporate - The Kelly Supply Family of Companies
Office 308-382-8764 Ext. 1131
Mobile 402-765-8010 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS Auth Zone Distribution in a Global Network?

[Thomas Mieslinger]

Hi Anthony,

I have servers in Europe and USA. I'm using the MySQL Backend. It takes 
typically less than 1 second propagate changes. MySQL repilcation can 
easily be monitored using "seconds behind master" from "show slave status"


Cheers

Thomas


On 06/29/2018 11:23 PM, Anthony Eden wrote:

Hello everyone,

I am considering moving some or all of DNSimple's authoritative DNS service 
back over to PowerDNS within the next 6 months, but before I do so, I'm hoping 
to get in touch with one or more folks from the PowerDNS community who operate 
authoritative DNS across multiple geographic regions.

We currently have POPs in San Jose, Chicago, Virginia, Amsterdam, Tokyo, and a 
new one coming online in Sydney. To distribute zone changes quickly (within 60 
seconds) from our Chicago data center we have a home grown zone distribution 
system where notifications are sent to a zone server within each data center, 
and that zone server in turn sends out a notice to every name server in its 
data center. Each name server then queries the zone server for the zone, and 
the zone server either pulls the zone from memcached and returns it to the name 
server, which caches it in memory, or the zone server queries our primary data 
store in Chicago to get the zone.

This system works, however as it is all home grown, it is difficult to maintain 
and enhance. I am interested in moving away from our custom solution to 
something off-the-shelf, and I'm looking for recommendations from other 
operators on what is working for you.

Thanks in advance for your time and your thoughts.

-Anthony
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users