This is a discussion on Re: DDNS and Hidden Master == Brain-Damaged - DNS ; --On 26. januar 2005 23:41 -0800 Phil Dibowitz wrote: > As someone about to hide our hidden master, it sounds like the best > solution will be to make the SOA record *not* the hidden master, but > instead a ...
--On 26. januar 2005 23:41 -0800 Phil Dibowitz
> As someone about to hide our hidden master, it sounds like the best
> solution will be to make the SOA record *not* the hidden master, but
> instead a public DNS server, and then it's by all means... hidden.
> Does that break anything else?
If you put one of your front-end nameservers in the MNAME-field of the
SOA-record, you'll have problems with NOTIFY - a hidden master running BIND
9.x will send a NOTIFY-message to every NS-record in the zone, _except_ if
it's also the MNAME.
I think I'll try to rephrase/explain, English isn't my primary language.
Let's say you have a hidden master dns0.example.com and two slaves that are
reachable from the outside: dns1.example.com and dns2.example.com.
...and your zonefile looks anything like this (simplified...):
example.com IN SOA dns1.example.com. hostmaster.example.com. (
IN NS dns1.example.com.
IN NS dns2.example.com.
When you then reload the zone on dns0, BIND 9.x will send notifies to the
servers mentioned in the NS-records. Except for dns1.example.com since it's
in the SOA as well.
I think you can probably work around this brain-damage by configuring an
"also-notify" statement in named.conf but I haven't tried this myself.
Hilsen / Regards