Recommended DNS notify method for hidden master

Kevin Darcy kcd at chrysler.com
Mon Aug 16 18:37:47 UTC 2010


On 8/16/2010 1:48 PM, recvfrom at gmail.com wrote:
> Hi,
>
> I have several internal DNS servers, one of which is a hidden master
> for external zones.  The nameserver listed in the SOA RR is in a DMZ.
> The internal DNS servers forward all queries for non-authoritative
> zones to a DNS server in the DMZ that will perform recursive queries,
> but the internal nameservers are restricted from sending queries or
> notifications to outside nameservers (and even if they were, it's
> unlikely that a third-party slave would accept notifies from anything
> but the master as listed in the SOA RR).  What is the recommended
> method to configure DNS notify for the internal hidden master?  I
> recognize that I can specify 'notify-to-soa yes;' in the view
> statement (in which all of these zones are placed; or in individual
> zone statements), but that will still result in attempted notification
> to all of the other NS RRs for the zone.  I'd prefer that the hidden
> master notify the NS listed in the SOA RR, and that nameserver issue
> notification to all of the other NS RRs after it has pulled the
> zone(s).

I think the only way to prevent sending NOTIFYs to the nameservers in 
the NS records is to "hardcode" your NOTIFY lists with a combination of 
"also-notify"/"notify explicit".
> Will 'notify-to-soa yes;' still initiate a notification even
> if I turn off notify via 'notify no;'?
>    
I'm pretty sure "notify yes/no" is a "master switch"; that if you 
specify "notify no" none of the other notify-related options come into play.

I could be wrong on that, though, since I haven't played with the 
NOTIFY-related options in recent versions of BIND.

                                                                         
                                                     - Kevin






More information about the bind-users mailing list