Confused about a basic concept

btb at bitrate.net btb at bitrate.net
Wed Jun 5 22:35:52 UTC 2013


On 2013.06.05 10.02, Bryan Harris wrote:
> Hi all,
> 
> I think I may be confused about a very basic DNS concept.  Sorry if this has
> been asked before.
> 
> 1. I have a master and two slaves.
> 2. The master server is the SOA for my zone.  The SOA record points to the
> master server.
> 3. Each of the two slaves are authoritative for my zone.
> 4. There are 2 NS records for my zone.  The first NS = slave1 and the second NS
> = slave2.
> 5. The Master server is not listed in the NS records for my zone.
> 6. The master does not receive any queries from the clients.
> 7. The slaves receive queries from the clients.
> 8. The master -> slaves relationship is via tcp/53 (notifies & zone transfers)
> 9. The slaves -> clients relationship is via udp/53 (queries)
> 
> Is this correct so far?  I'm being told "our authoritative DNS servers should
> not receive any queries", as well as "DNS slaves respond to queries".  These
> statements seem like a conflict to me, but maybe I'm simply confused?

whoever said "our authoritative DNS servers should not receive any queries" is the confused one, not you.

master/slave has nothing to do with authoritative or not.  the master/slave mechanism/relationship is simply one [common] choice for duplicating zone data amongst servers, using an "in-band" mechanism.  what makes a nameserver authoritative for a zone is if it publishes zone data for that zone. where it gets the data it publishes [e.g. from a file, from a database, from some other server] has no bearing on that.  in concert with publishing the zone data, to be truly accepted as authoritative, the nameservers must of course be listed in the zone's ns records as well [and in the parent's delegation], but that's a bit of a digression.

what you describe above is typically referred as a "hidden master" configuration, and is occasionally used, but is by no means the norm, and certainly not any sort of technical requirement in the least.  while there are arguably "appropriate" environments/applications for a hidden master, the reality is that most people i've encountered using a hidden master don't need it, and when pressed, it becomes clear they're doing it because they think that the complexity of the implementation directly correlates to their technical prowess.  but then, i'm a cynical jerk :)

also, on another note, master/slave relationships are not exclusively tcp, and client/server [be it master or slave] are not exclusively udp.  dns uses port 53, period.  that means both udp and tcp.

> I don't see how a slave could respond to a query unless it's authoritative.  The
> only thing I can imagine is adding some more caching servers just for queries
> and have them forward+recurse to the authoritative slave servers (but they're
> not slaves themselves).  But even in that case, the authoritative servers would
> still need to respond to queries, no?  Otherwise how would the caching servers
> get any answers in the first place?

any server can respond to any query.  it just won't be an authoritative response unless that server has loaded/is publishing the zone data.  if you put caching nameservers in between the internet and your "actual" nameservers, then your zone would be plain and simple broken, because the nameservers answering queries for everyone on the internet would not be answering authoritatively [and yes, they'd still have to get those answers from the "actual" nameservers anyway].

-ben


More information about the bind-users mailing list