Secondary DNS

Kevin Darcy kcd at
Wed Oct 3 22:04:52 UTC 2001

There are number of different approaches to this problem.

1) If you have a very limited, internal-root namespace, you could have a
script run on each slave, identifying what zones it should start or stop
slaving. The benefit of this method is that the process is quite
autonomous  and therefore tends to be more secure. The downside, of
course, that it is not appropriate for huge namespaces like the Internet

2) Some folks just maintain a list of domains that each slave should be
slaving. You could distribute the list periodically any way you wish,
although one common method is to actually store the list in DNS itself,
and then the slaves query it and/or zone-transfer it periodically. When a
slave sees a new zone appear on the list, it would configure itself as a
slave for it.

3) You could replicate named.conf files out to the slaves using some
secure, out-of-band mechanism like rsync-over-ssh (as Dan Bernstein
recommends between instances of his nameserver implemention). There are
basically two different variants on this:

a) replicate the relevant zone definitions from the master to the slaves
*as*is* (if you have other parts of the named.conf file, e.g. the
"options" block, which should be different between the master and the
slaves, then you could use an "include" file to make a separation between
local and global configuration). Because this would cause all of the
slaves to be deluded into thinking that they are "master" for the zone,
you'd have to use some out-of-band mechanism (probably the same one) to
replicate the zonefiles as well,


b) munge the zone definitions of the master server's named.conf, changing
"master" to "slave", and replicate *that* out to the slaves.

Note that in either variant, you need a way to remotely tell the slave to
reload its configuration and/or reload zone files. You could use a secure
remote-execution mechanism (e.g. ssh) for this, or, with BIND 9, you
could use "rndc" for this function.

4) Although I've never tried this, in theory it should be possible to
have a slave automatically configure itself based upon the receipt of
NOTIFY messages from the master. You could just watch the logs for
NOTIFY. But you should be careful to verify the source and/or validity of
the NOTIFY messages, otherwise a bogus NOTIFY could trick you into
slaving a bogus version of a zone.

- Kevin

lee at wrote:

> Ok ive configured my primary DNS server and manually entered all my
> domains and various host and MX entries.
> However I have also attempted to setup a secondary DNS, I have setup
> the server in the same way ( ive attempted both linux and IIS ) and
> ive gone through manually and created the same domains on my secondary
> server as the ones on my primary except they are secondary domains
> with a master set as the IP of my primary ( takes a deep breath ).
> This works great and the 2nd DNS server takes the records from the
> primary but only if I manually add the domains.
> What I want to know is if its possible to configure a secondary server
> that just reads all information from the primary server so that the
> 2nd server is practically unmanaged.
> Any ideas on this and how to do it ?
> Lee

More information about the bind-users mailing list