--On 26. januar 2005 23:41 -0800 Phil Dibowitz wrote:
> As someone about to hide our hidden master, it sounds like the best
> solution will be to make the SOA record *not* the hidden master, but
> instead a public DNS server, and then it's by all means... hidden.
> Does that break anything else?

If you put one of your front-end nameservers in the MNAME-field of the
SOA-record, you'll have problems with NOTIFY - a hidden master running BIND
9.x will send a NOTIFY-message to every NS-record in the zone, _except_ if
it's also the MNAME.

I think I'll try to rephrase/explain, English isn't my primary language.

Let's say you have a hidden master dns0.example.com and two slaves that are
reachable from the outside: dns1.example.com and dns2.example.com.

...and your zonefile looks anything like this (simplified...):

example.com IN SOA dns1.example.com. hostmaster.example.com. (
IN NS dns1.example.com.
IN NS dns2.example.com.

When you then reload the zone on dns0, BIND 9.x will send notifies to the
servers mentioned in the NS-records. Except for dns1.example.com since it's
in the SOA as well.

I think you can probably work around this brain-damage by configuring an
"also-notify" statement in named.conf but I haven't tried this myself.

Hilsen / Regards
Eivind Olsen