SOA/NS Question

Barry Margolin barmar at bbnplanet.com
Thu Sep 16 17:23:34 UTC 1999


In article <199909161549.KAA23569 at achilles.ctd.anl.gov>,
Barry Finkel  <b19141 at achilles.ctd.anl.gov> wrote:
>I have a question about SOA and NS records, and their interaction.
>
>In our DNS configuration, we have three machines - dns0, dns1, and dns2
>(plus two off-site secondaries).  We make updates to dns0, and make sure
>that the changes are correct.  Then we propogate the changes to dns1 and
>dns2.  Our forward zones look like this:
>-----
>$ORIGIN ctd.anl.gov.
>; $INCLUDE named.local
>;       named.soa
>;       define start of authority, name servers and loopback
>;       As per BIND 4.9 operations guide, serial number format is now
>;               "YYYYMMDDNN" where NN is the daily sequence number.
>;
>@               IN      SOA     dns1.anl.gov. hostmaster.anl.gov. (
>                                1999091600      ; Serial
>                                7200            ; Refresh     - 2 hours
>                                3600            ; Retry       - 1 hour
>                                1209600         ; Expire      - 14 days
>                                604800     )    ; Minimum TTL - 7 days
>                IN      NS      dns1.anl.gov.
>                IN      NS      dns2.anl.gov.
>                IN      NS      nsx.lbl.gov.
>                IN      NS      ns2.es.net.
>localhost       IN      A       127.0.0.1
>$INCLUDE hosts.ctd
>$INCLUDE mx.ctd
>$INCLUDE cname.ctd
>-----
>
>We have NOT listed dns0 in a NS record, as we do not want machines to
>query that name server.  The SOA record points to dns1, as that is the
>"primary" dns server we want machines to be querying.  Our off-site
>secondaries are generating error messages stating that dns1 is really 
>not the SOA.

What is the specific error message they're giving?  I've never seen a
message that complained that a server is not the SOA.  I just queried dns1
for the SOA record and the response looked fine to me.

>Can I correct the problem by changing the SOA to point to dns0?
>Will machines begin to query dns0, or will they not query dns0 because
>dns0 does not appear in an NS record?  

As far as I know, the only DNS software that cares about the hostname in
the SOA record is Dynamic Update -- it will send updates to the primary
server listed there.  Nothing else uses that field of the SOA record (I
think BIND 8.1.0 had a "feature" where it would reject a zone if the MNAME
weren't also an NS record, but it was fixed when lots of complaints were
received from people with hidden primaries, like you're doing).

>If I can change the SOA to point to dns0 without problems, then this 
>will aid in one problem I will have with Windows 2000.  Win2000 finds
>the SOA for a zone to determine to which dns it should send a dynamic 
>update.  In the example trace I posted last week, Win2000 sends a
>request to register 
>
>     lizzard.ctd.anl.gov    IN   A    146.137.160.161
>
>to 
>
>     dns1.anl.gov
>
>and we do not want dynamic updates to that dns.  We want any dynamic 
>updates (once we decide how to handle them) to be sent to dns0, as it
>is dns0 that has the master copy of each zone.  Thanks.

Yes, as I said above, putting dns1 in the SOA record will not cause queries
to go there, it will only affect dynamic updates.  So everything should be
OK if you do this.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.


More information about the bind-users mailing list