Hello Frank,

Sun, 17 Aug 2008 19:20:45 +0200 Frank Behrens wrote:

>> Assuming that all of your 3 secondaries have a good Internet
>> connectivity, I suggest you to establish a so-called "an unpublished
>> primary" scheme. The necessary steps are:
>> 1. Remove your master server from the NS records in your zone file;
>> 2. Choose one of your slave servers and put its host name in the SOA
>> record replacing the master server name;

> Why should this be done (step 2)?

This is just a safety measure. Some registrars and even ccTLD registries
require that a name server listed in SOA must be also listed in the NS
record set. The same behavior is demonstrated by some DNS validation
software including several online tools. Sounds like that this
requirement isn't based on any RFC except RFC 883, page 33, para 3,
sentence 3. The second reason for the step 2 is to maintain a truly
"unpublished (stealth) primary" configuration.

However, the step 2 can interfere with the dynamic DNS updates and
sometimes with the NOTIFY mechanism. Mr. Cricket Liu, the author of "DNS
and BIND", has commented this problem at
http://www.menandmice.com/knowledgehub/dnsqa/20 . So it's up to an
administrator whether to completely hide the real primary or not.


Yours sincerely,

Andrey G. Sergeev (AKA Andris) http://www.andris.name/