"Extra" NS on zone file can be used?

Kevin Darcy kcd at daimlerchrysler.com
Mon Aug 14 23:08:22 UTC 2000 

Jesus Couto wrote:

>         Hi,
>
>         Thanks for the answer. The FAQ from where I got that is the
> comp.protocols.tcp-ip.domains FAQ that is included into the misc directory
> of the bind-doc package; its a little bit old (7 Dec 1996), so maybe its
> not on the newer versions of it.
>
>         Your idea about giving the hidden master a name that resolves
> externally as a public slave sounds interesting, but implies
> managing 2 different versions of a public zone file.

You could create a zone file for just that one name, e.g.
ns1.mypublicdomain.com could be a zone by itself. You'd only need to touch
that zone if the address of the master changes -- very low maintenance.

> Dont know if it
> would be better to do it the hard way once, by hacking nsupdate or using
> the Net::DNS perl modules to implement something like it, to save the
> complication of managing 2 copies of a public zone. Unless there is
> another very good reason why we shouldnt touch nsupdate; that is, some
> strong reason why the NS lookup it does is unavoidable. So far I think
> that with a "targeted" nsupdate, we could use the hidden master private
> name on the SOA and not list it as a NS, and it would work fine, as all
> updates are going to be against the same master, and the nsupdate code
> that organizes updates into zones and send them to the corresponding
> nameservers is not going to make any difference.

You'd have to port this nsupdate hack to every future version of the program;
basically you'll be hacking nsupdate forever. And you'd better document this
hack well, so that if you ever move on to another position, your successor
will know that there's some "magic" in nsupdate that enables the whole
subsystem to work, and that _they_ now have the responsibility of hacking
this magic into nsupdate forever...

I think my preference would be to "split" the name of the master. At least
then any competent DNS admin could figure out how you have things set up, and
there wouldn't be any continuing maintenance of the nsupdate program.


- Kevin

More information about the bind-users mailing list