Recommended DNS notify method for hidden master
recvfrom at gmail.com
recvfrom at gmail.com
Mon Aug 16 21:39:59 UTC 2010
On Mon, Aug 16, 2010 at 2:24 PM, Matus UHLAR - fantomas
<uhlar at fantomas.sk> wrote:
> On 16.08.10 13:48, recvfrom at gmail.com wrote:
>> I have several internal DNS servers, one of which is a hidden master
>> for external zones. The nameserver listed in the SOA RR is in a DMZ.
>> The internal DNS servers forward all queries for non-authoritative
>> zones to a DNS server in the DMZ that will perform recursive queries,
>> but the internal nameservers are restricted from sending queries or
>> notifications to outside nameservers (and even if they were, it's
>> unlikely that a third-party slave would accept notifies from anything
>> but the master as listed in the SOA RR). What is the recommended
>> method to configure DNS notify for the internal hidden master? I
>> recognize that I can specify 'notify-to-soa yes;' in the view
>> statement (in which all of these zones are placed; or in individual
>> zone statements), but that will still result in attempted notification
>> to all of the other NS RRs for the zone. I'd prefer that the hidden
>> master notify the NS listed in the SOA RR, and that nameserver issue
>> notification to all of the other NS RRs after it has pulled the
>> zone(s). Will 'notify-to-soa yes;' still initiate a notification even
>> if I turn off notify via 'notify no;'?
>
> I would recommend you:
> - put real (hidden) master to SOA
> - put "notify explicit; also-notify { slave-1; slave-2; };" into its
> configuration
Ahhh, I had forgotten about 'notify explicit;' -- that's exactly what I needed!
I implemented as follows:
Hidden master -- notify --> SOA MNAME -- notify --> all other slaves.
> so the hidden master will only send notifies to your public slaves,
> abd the public slave(s) will send notifies to third party slaves.
>
> ...if you have some third-party slaves, they _must_ fetch the zone from one
> of your servers, your public slaves if not the hidden master. So they can
> send notifies.
Since the hidden master is not publicly accessible, I left it out of
the SOA, but all of your other suggestions were perfect.
> And in fact there's nothing bad in your hidden master sending the notifies
> to all NSs...
Well, except that were all just dropped on the floor at the firewall,
as intended. ;-)
Many thanks!!!
-r
More information about the bind-users
mailing list