problem "hiding" master server

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Mon Jul 2 00:18:27 UTC 2001


	Thanks for the report.

> 
> Thanks for the answers! :)
> 
> My reason for leaving out the root zone is that I would like it to
> only answer queries for which its autoritative so it wont ever have to
> send queries to anyone. well, I guess that with "recursion no" and
> "fetch-glue no" the server will not answer such queries.. ?
> 
> okay, you mean that I should just put the master server in the SOA
> record but not in the NS records? well, I would like to hide the
> master server totally... We tried the also-notify option which seemed
> to do the trick... so I think I'll stick to that... but I guess its
> kind of the same as with the bind 9 notify option.. ?
> 
> 
> Regards
> Christian Rasmussen
> 
> 
> Mark.Andrews at nominum.com wrote in message news:<9hb9mn$mum at pub3.rc.vix.com>..
> .
> > > 
> > > My setup is as follows:
> > > 2 caching only name servers: dns.x.x. and dns2.x.x.
> > > 3 authoritative "reachable" slave name servers: ns.x.x., ns2.x.x. and
> > > ns3.x.x.
> > > 1 master authoritative which isn't reachable from outside: master.x.x.
> > > 
> > > The authoritative name servers are configured to run without root zone, t
> his
> > > is done by:
> > >         recursion no;
> > >         fetch-glue no;
> > > 
> > > on the slave servers the zones are configured with:
> > > zone "x.x" in {
> > >   type slave;
> > >   file "x.x";
> > >   masters {x.x.x.x;  };
> > > };
> > > 
> > > 
> > > however I often get the error:
> > > 
> > > default: sysquery: nlookup error on ?
> > > 
> > > If I add the root zone the error seems to stop, isn't it possible to run
> > > without root zone, or do I then just have to ignore this error??
> > > 
> > > 
> > > All zone-editing is done on the "hidden" master server, all zones have th
> e
> > > following SOA and NS records:
> > > @ 86400 in soa ns.x.x. hostmaster.x.x. ( 2001061403 28800 7200 604800
> > > 86400 )
> > > @ 86400 in ns ns.x.x.
> > > @ 86400 in ns ns2.x.x.
> > > @ 86400 in ns ns3.x.x.
> > > 
> > > 
> > > The problem is that ns.x.x isnt notified, and from what I understand from
> > > DNS and BIND its because that the master specified in the SOA which also 
> has
> > > an NS record is assumed to be the master itself and should therefore not 
> be
> > > notified! I guess a solution would be to specify master.x.x. as the maste
> r
> > > server in the SOA record and add an NS record for it, that way it doesnt
> > > notify itself but all the slaves....
> > > 
> > > However, the idea was to "hide" the master server so nobody can send quer
> ies
> > > to it from outside, and Im not sure the master specified in the SOA recor
> d
> > > can be unreachable, wouldnt that be a problem?´
> > 
> > 	Just put the true master in the origin field.  All DNS
> > 	operations are supposed to be directed at the listed
> > 	nameservers.  This includes both queries and update requests.
> > 
> > 	Apart from broken W2K beta boxes and only then when sending
> > 	updates.  The only queries that will be directed directly
> > 	at the master are from the slaves or humans trying to
> > 	diagnose problems.
> > 
> > 	Mark
> > > 
> > > A better solution might be to specify ns.x.x. as the master server and th
> en
> > > use the "also-notify ns.x.x" on the master server, that way ns.x.x. shoul
> d
> > > be notified even though the server believe its the master....
> > > 
> > > It seems there a number of solutions, but my idea was that the slave serv
> ers
> > > should only handle queries and not notifying/pulling zones from each othe
> r,
> > > this should instead be done by the master server which doesnt use CPU on
> > > answering queries.. Anyone have any comments/suggestions? Perhaps from a
> > > similar setup?
> > > 
> > > 
> > > Regards
> > > Christian Rasmussen
> > >
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com


More information about the bind-users mailing list