Skip to main content
Flexible Top Header
Question

DNS Split-View using Bluecat BDDS as hidden Primary and PowerDNS as auth Secondary

  • April 9, 2026
  • 3 replies
  • 20 views
M

We are introducing DNS Splitview/Split Horizon at the moment. We have to Views on our BDDS Server, one external view and one internal view. BDDS is hidden Primary for both views. 

We have two PowerDNS servers as authoritative secondaries for the external view and two PowerDNS servers as auth secondary for the internal view. The deployment roles in the view are set to these servers.

We use the supermaster feature of PowerDNS for zone transfer.

The external view is working as expected. In the internal view the zone transfer is not really working it seems like the internal PowerDNS server seems to query the external view on the BDDS.

How can we achive the split view in this setup? Is there a design error in our setup?

 

    3 replies

    L
    • lukas.weber
    • Network VIP Newbie
    • April 9, 2026

    Yes, there is likely a design issue. PowerDNS supermaster or autoprimary does not understand BlueCat views. It mainly identifies the primary by the source IP of the NOTIFY and the NS data. If both the internal and external view come from the same BDDS hidden primary IP, PowerDNS cannot reliably tell which view it should transfer, so the internal secondaries may indeed end up talking to the external view. To make this work cleanly, each view should have its own hidden primary identity, ideally a different source IP per view. If BDDS cannot present separate IPs per view, then supermaster is the wrong mechanism here and the design is not a clean fit for split horizon with the same zone name in both views.

      M

      Thank you! So i think i have to assign a second server interface/ip-address to the bdds and set the deployment of the internal view to this interface. 

      T
      Forum|alt.badge.img+3
      • tmaestas
      • Trusted Resolver
      • April 9, 2026

      You don’t absolutely have to do it with additional interfaces/IPs, you can use TSIG keys instead to insure you’re communicating with/transferring the desired view (at least you can with BIND.  See https://kb.isc.org/docs/aa-00851 for some BIND examples. Not sure how to do this in PowerDNS, and you may have challenges inducing Bluecat to write out the required key-specific configurations).

      Terms & ConditionsCookie settingsAccessibility statement