Using proxy DNS servers for bind as an alternative to slave servers.

Kevin Darcy kcd at
Mon Jul 2 21:35:35 UTC 2012

On 7/1/2012 2:42 PM, J P wrote:
> Hello all!
> I understand RFC compliant DNS servers use AXFR and IXFR for synching 
> bewteen masters and slaves... and that this is the general scenario 
> for that purpose.
> However, I need somebody to technically explain to me why cant I use a 
> DNS resolver daemon such as the pdnsd  dns proxy daemon with a cache 
> of for example 5 minutes... so I can configure it to forward requests 
> to my master (where I feed and store my zones), with the cache being 5 
> minutes then iam sure the latency between my master and the proxy will 
> be minimal.
> Is this possible why yes or why not.
I don't really know much about pdnsd, so I have a simple question for 
you: does pdnsd answer with the AA (authoritative answer) bit set or not?

If it does, and it doesn't have a full copy of the zone at all times, 
then it is violating the DNS spec and all bets are off as to how well 
that will play with iterative resolvers.

If it doesn't, then its answers are likely to be rejected by iterative 
resolvers, who want to see that bit set on the responses.

The bottom line is: don't pretend to have a full, replicated copy of the 
zone if you don't have a full, replicated copy of the zone. Now, 
strictly speaking, you don't have to use AXFR/IXFR to do the replication 
-- some people prefer configuring all their "slaves" as "type master" in 
named.conf and then using some other non-DNS-standards-defined method to 
do the replication (e.g. rsync or scp, combined with a "rndc reload" to 
read the contents back in each time). Many commercial DNS management 
products use other methods to replicate the data (QIP uses its "message" 
subsystem; Infoblox uses "grid replication"). But calling a mere cache 
or "proxy" a "slave" is just asking for trouble...

                                                 - Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list