separation of authoritative and recursive functions on internal networks
Grant Taylor
gtaylor at tnetconsulting.net
Mon Feb 8 01:29:03 UTC 2016
On 02/07/2016 05:54 PM, Reindl Harald wrote:
> why?
(I believe I answered your question in the subsequent paragraph. If not
let me know and I'll try again.)
> that's not a reason for not list one of them as SOA
None of the slaves are the SOA. (Further, I'm not aware of them having
been configured for forward any updates, even if I allowed them, to the
real master.) So listing one of them as the SOA would be a lie.
> the salve don't need the SOA because it's typically configured to use
> whatever server as master which allows zone transfers, frankly you can
> even chain slaves pulling zones from other slaves
I know that slaves don't need (utilize) the SOA. That's not why I have
my master listed in the SOA.
I have my master listed in the SOA because 1) it is the actual master
and 2) I have no reason to lie and put something else.
My master is not listed as an NS because I don't want general queries
going to it. Seeing as how I have five other NS servers, I see no need
to list the master.
Yes, I'm aware that you can chain slave servers. (Though I would hope
that you have a good reason for doing so. Where "good reason" is more
compelling than just to make some validator that doesn't understand my
config happy.)
> that it's in general a good idea to use validation services and follow them
I'm taking "general" to be the key word. Namely that it applies to a
very common configuration. I consider my configuration to be less than
common (but not rare). As such, I have no problem with not following
this particular suggestion.
> the answer is: we are doing that for more than 10 years now
Thank you for your answer.
--
Grant. . . .
unix || die
More information about the bind-users
mailing list