Hello Alex,
On Sun, 2021-03-21 at 23:19 +0100, Alex JOST wrote:
I'll try to rephrase: The idea is to have Knot Resolver listening on
port 53 as an open resolver and forwarding queries for specific domains
to Knot DNS (as authorative DNS).
Authoritatives and recursives provide a different
kind of service and to
different "clients"; on a quick look I see that in the article though.
Historically I think both functions were commonly done by a single
service - BIND/named can still do it - but nowadays it's recommended to
run them separately. (Well, injecting a few "authoritative"
modifications of DNS inside a recursive server seems OK, but that's a
bit different.)
AFAICT BIND and PowerDNS can do this and some (or many?) people are
combining authoritative+recursive resolvers.
PowerDNS Authoritative and Recursor cannot do this, and never could.
But
https://dnsdist.org/ might be what you are looking for. It allows
you to forward queries to different backends (in your case, Knot DNS
and Knot Resolver) based on source subnet, queried domain name,
Recursion Desired bits, etc.
This post mentions that it is possible to do this with PowerDNS (at
least the other way around):
Thanks for the link to dnsdist. It's not what I was looking for, but it
sounds interesting and I will have a closer look.
So far
I've not found many
compelling reasons not to do this besides "it's not recommended".
Speaking from 10 years of experience talking to PowerDNS users, mixed setups quite often
end up causing confusion and surprises. It's hard to give you a specific reason
because there are many different reasons this ends badly.
The lack of resources on the internet about this topic implies that this
setup isn't very common but I had hoped to hear some concrete examples.
--
Alex JOST