[Freeipa-users] separating authoritative servers from recursive servers

[Petr Spacek]

On 6.10.2015 03:40, Brendan Kearney wrote:
> i have two bind instances in somewhat of a multi-master server arrangement,
> where they share the same ldap backend via bind-dyndb-ldap.  currently, they
> are authoritative and recursive servers, and i want to change things up a
> bit.  i want to move the recursive function to a third device.  for this, i
> believe i need to set a forwarder for the two current servers.  i believe i
> would do this by adding the idnsForwarders object (with value) on the OU that
> is the idnsConfigObject.
> 
> i am looking for a sanity check, to ensure that i am not overlooking something
> important.  are there any steps i am missing?  i want the current two
> instances to be authoritative for all my forward and reverse zones, and use
> the forwarder for all recursion.  the forwarder instance is already running,
> and is setup to answer queries from only the two current instances.  i think i
> just need to point the current instances to the forwarder instance, and turn
> off recursion on them.

Hmm, I think that there is some confusion about terms we use.

Pure authoritative server would give out answers only for zones it is
authoritative for (i.e. zones defined in /etc/named.conf or LDAP) and refuse
to answer all other queries. Is that what are you looking for?

In contrast, a recursive server would answer query for any zone. If you really
want to separate authoritative and recursive roles, then you should:

(0. As always: Make sure that delegation for all your zones is correct.)
1. Set up recursive-only server. Add 'allow-recursion { IP_range; };' to
named.conf.
2. Reconfigure all clients to use the recursive-only server and not to ask
authoritative servers directly.
3. Reconfigure authoritative servers by adding allow-recursion { none; }; to
named.conf.

No changes in LDAP should be necessary.

Does it answer your question?

-- 
Petr^2 Spacek