DDNS and Hidden Master == Brain-Damaged

Eivind Olsen eivind at aminor.no
Thu Jan 27 10:53:01 UTC 2005

--On 26. januar 2005 23:41 -0800 Phil Dibowitz <phil at ipom.com> wrote:
> As someone about to hide our hidden master, it sounds like the best
> solution will be to make the SOA record *not* the hidden master, but
> instead a public DNS server, and then it's by all means... hidden.
> Does that break anything else?

If you put one of your front-end nameservers in the MNAME-field of the 
SOA-record, you'll have problems with NOTIFY - a hidden master running BIND 
9.x will send a NOTIFY-message to every NS-record in the zone, _except_ if 
it's also the MNAME.

I think I'll try to rephrase/explain, English isn't my primary language.

Let's say you have a hidden master dns0.example.com and two slaves that are 
reachable from the outside: dns1.example.com and dns2.example.com.

..and your zonefile looks anything like this (simplified...):

example.com		IN	SOA	dns1.example.com. hostmaster.example.com. (
			IN	NS	dns1.example.com.
			IN	NS	dns2.example.com.

When you then reload the zone on dns0, BIND 9.x will send notifies to the 
servers mentioned in the NS-records. Except for dns1.example.com since it's 
in the SOA as well.

I think you can probably work around this brain-damage by configuring an 
"also-notify" statement in named.conf but I haven't tried this myself.

Hilsen / Regards
Eivind Olsen
eivind at aminor.no

More information about the bind-users mailing list