separation of authoritative and recursive functions on internal networks

Grant Taylor gtaylor at
Mon Feb 8 01:29:03 UTC 2016

On 02/07/2016 05:54 PM, Reindl Harald wrote:
> why?

(I believe I answered your question in the subsequent paragraph.  If not 
let me know and I'll try again.)

> that's not a reason for not list one of them as SOA

None of the slaves are the SOA.  (Further, I'm not aware of them having 
been configured for forward any updates, even if I allowed them, to the 
real master.) So listing one of them as the SOA would be a lie.

> the salve don't need the SOA because it's typically configured to use
> whatever server as master which allows zone transfers, frankly you can
> even chain slaves pulling zones from other slaves

I know that slaves don't need (utilize) the SOA.  That's not why I have 
my master listed in the SOA.

I have my master listed in the SOA because 1) it is the actual master 
and 2) I have no reason to lie and put something else.

My master is not listed as an NS because I don't want general queries 
going to it.  Seeing as how I have five other NS servers, I see no need 
to list the master.

Yes, I'm aware that you can chain slave servers.  (Though I would hope 
that you have a good reason for doing so.  Where "good reason" is more 
compelling than just to make some validator that doesn't understand my 
config happy.)

> that it's in general a good idea to use validation services and follow them

I'm taking "general" to be the key word.  Namely that it applies to a 
very common configuration.  I consider my configuration to be less than 
common (but not rare).  As such, I have no problem with not following 
this particular suggestion.

> the answer is: we are doing that for more than 10 years now

Thank you for your answer.

Grant. . . .
unix || die

More information about the bind-users mailing list