MNAME not a listed NS record

Chuck Swiger cswiger at
Thu Jan 17 01:04:53 UTC 2013

On Jan 16, 2013, at 4:30 PM, Barry Margolin wrote:
[ ... ]
>>>> On Jan 16, 2013, at 12:40 PM, Dave Warren wrote:
>>>>> Is there anything technically wrong with having a SOA MNAME field that 
>>>>> isn't listed as a NS record?
>>>> Sure.  The SOA MNAME is expected to be the "primary master" nameserver for 
>>>> the zone; it's where things like dhcpd and such send dynamic updates for 
>>>> the zone to.
>>> But that doesn't mean it should be the server for resolver queries.
>> True, but I don't see much utility from a nameserver which can be dynamically
>> updated but not queried.
> Who says you're using dynamic update? The MNAME field has been part of 
> the DNS standard since long before DHCP and dynamic update.  In many 
> instances it's just an FYI field.

Nothing says one is using dynamic updates; if you aren't, then sure, the
MNAME field is quite a bit less important than if you are.

[ ... ]
>> Sure.  In which case, why publish an internal-only machine into the public
>> DNS via your SOA record?  Someone else made mention of a "stealth master",
>> but my definition of that is an internal machine which is not visible in
>> any publicly published records.
> You have to put something in the MNAME. You could lie and put one of the 
> public nameservers, but why do that when you could put the true master?

Are you asking why someone would not publish an internal-only hostname?

Maybe it's using RFC-1918 addresses and only reachable on one's LAN?

>>> The performance requirements of a nameserver that serves public queries 
>>> are different from a server that only has to respond to zone transfer 
>>> requests from the published nameservers.
>> True.  Handling AFXRs isn't much work, and you can always revert to other 
>> methods of replicating zone data if need be, so my primary concern is making 
>> nameservers work well enough to handle the query load, and not to make nameservers
>> just handle zone transfers.
> Do that on the public nameservers.  The hidden master doesn't need to be 
> dedicated to nameserving, since it's not handling all the load that the 
> public servers do.

Sure.  The thing is, by the time an organization grows big enough to maintain
dedicated internal and external DNS views, and loads their DNS servers to the
point where dedicating a server just to act as master for zone data rather than
handling queries makes sense, well, you also tend to end up with firewalls,
load-balancers, and such which can redirect traffic based on source address,
server load and aliveness, etc.

You publish VIPs which handle your DNS traffic, and then balance that internally
onto your pool of reals (the DNS server boxes) as you choose.  Keeping query load
low or moving it entirely off of a particular box is a LB config change.  YMMV....


More information about the bind-users mailing list