Chaining NOTIFY and slave servers - is it supported?

[Petr Bena]

Hello,

In our massive corporate setup with hundreds BIND servers all around 
planet, we have some "funny" configurations (please don't ask why :)), 
that seem to be actually working just fine, but I would like to 
understand if this is actually supported setup, or they just work by 
accident or due to some kind of a bug.

We have some DNS servers which have some network limitations (mostly 
firewalls) that allow communication only in certain directions, imagine 
this setup with 3 DNS servers:

* A: is a master for zone test.org, can talk to B only

* B: is a slave for zone test.org, can talk to A and C

* C: is a slave for zone test.org, can talk only to B

What we do is, that:

* A is a real master, but can't reach C, so it allows zone transfer to B 
and also sends NOTIFY to B.

* B is a slave to A, but master to C, it has also-notify for C, despite 
it's not really a master.

* C is a slave to B

So when someone changes zone on A via nsupdate, NOTIFY and subsequent 
IXFR goes like this: A -> B -> C instead of:

A -> B

    -> C

Which would be the case in more "correct setup".

What confuses me however, is that I just found this in BIND 
documentation at: https://www.zytrax.com/books/dns/ch7/xfer.html#also-notify

"The *also-notify* statement is relevant only with master zones..."

If also-notify works only with master zones, then why this works? Is it 
even supposed to work? Is this a supported configuration at all?


Thanks for clearing this up

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200421/27eda3d5/attachment.htm>