search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.62k stars 902 forks source link

Recursor should support resolver API as an alternative source for forward zone definition #8314

Open sshipway opened 4 years ago

sshipway commented 4 years ago

Short description

The Recursor currently allows forward rules to be specified using explicit zones, or a file. It would be very helpful (for smaller installations) to also support the API of a Resolver as the source -- IE forward all requests for Zones handled by this resolver to this resolver.

Usecase

Small organisations will likely use a single Resolver. The latest version of pdns now means it is necessary to also have a recursor installed, but this then needs to know the domains to send to the resolver - if you have split DNS or unadvertised local slaves then just following NS records won't work. Allowing the Resolver to automatically configure itself from the API would make this much simpler that having to have a separate cronjob exporting to a file which is then loaded.

Description

In the recursor.conf, have an option similar to forward-pdns=127.0.0.1:8081:secret=127.0.0.1:5300

This would mean "connect to the PDNS API on 127.0.0.1:8081, using API key 'secret', and identify the Zones on that server. Any queries for these zones, forward to 127.0.0.1:5300"

It would also be necessary to refresh this periodically (possibly a separate setting for frequency) in case of new zones being added.

We can achieve a similar effect using a periodic cronjob to do pdns_control list-zones into a file and then call rec_control reload-zones but it would be preferable to have this functionality built-in.

pentiumoverdrive commented 3 years ago

I had big problems when upgrading to newer PDNS within my org with hundres of zones, but this big problem had a somewhat simple and stupid work around though:

Hourly cronjob that fetches whatever is in the authoritative database:

#!/bin/bash
su -c 'psql -d pdns -t -c "select name from domains"' postgres |sed '/^$/d'|awk '{print $1"=127.0.0.1:6666"}' > /opt/dns-forwardfile/forward.dns
rec_control reload-zones

then in recursor conf: forward-zones-file=/opt/dns-forwardfile/forward.dns

Its not very bulletproof and could potentially create sad tears when the file is all of sudden empty. I would love to automate this in a safer way.

sshipway commented 3 years ago

@pentiumoverdrive -- I am currently doing similar, except that instead of using psql to get the domain list I'm using pdns_control list-zones (with a bit more shell wrapped around to make sure I don't accidentally erase the forwards file if something goes wrong). Work,s but not ideal and I would like to see this functionality integrated into pdns-recursor.