<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">There's no requirement that the
contents of SOA.MNAME have a matching A record in the zone. Even
if such a formal requirement existed, you might be able to satisfy
it by putting an A record of 0.0.0.0 in the zone. That doesn't
expose much :-)<br>
<br>
If you're paranoid about zone expiration, tune the EXPIRE setting
really high. Just be aware, if you do that, then if you change
providers some day, your old provider may be serving up a stale
version of the zone for a while, even if you stop zone transfers
to them.<br>
<br>
For that matter, you're not limited to using standards-based
master/slave replication. Many folks use rsync to keep their slave
zone files in sync with their master (you'd define the zone as
"master" everywhere and then use some out-of-band mechanism
whenever it changes, e.g. rndc, to tell the "slaves" to reload the
zone). Many commercial DNS systems (e.g. Infoblox) have their own
proprietary replication mechanisms built-in. Once you depart from
standards-based master/slave replication, then zone expiration has
only the meaning that your other replication mechanism assigns to
it, or perhaps no meaning at all.<br>
<br>
I've been running a "hidden master" setup for decades, for all of
our external-facing zones. It works well. I can't imagine doing it
any other way -- am I going to expose my real primary master to
the Internet? No thanks.<br>
<br>
- Kevin<br>
<br>
<br>
On 11/7/2013 1:52 PM, Jonathan Reed wrote:<br>
</div>
<blockquote
cite="mid:CAPw9y047jFNwDveuZ-h38=Fk7juMw41q4Sje7p-8tBetgpp6bA@mail.gmail.com"
type="cite">
<div dir="ltr">I'd like my global BIND server to slave a copy of
my zone from the master being hosted on my LAN. It appears that
this is called a stealth setup. I figured I'd achieve this by
having the secondary on the internet slave a view, but I've read
that this is not ideal from a security standpoint. The argument
being that the zone file contains an IP address of it's master.
So whats the best way to do this?
<div>
<div><br>
</div>
<div>A stealth scenario also seems susceptible to a higher
chance where the connection is lost between master and slave
(complicated by a LAN firewall/ISP in between) and the
expire exceeding. We're hosting our global DNS through a
provider, so there doesnt seem like an easy way to monitor
and confirm a zone transfer from our master alone. Any
recommendations?</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<br>
</body>
</html>