Hello Andrey!

Andrey G. Sergeev (AKA Andris) wrote on 18 Aug 2008 0:05:
> Sun, 17 Aug 2008 19:20:45 +0200 Frank Behrens wrote:
> >> Assuming that all of your 3 secondaries have a good Internet
> >> connectivity, I suggest you to establish a so-called "an unpublished
> >> primary" scheme. The necessary steps are:
> >> 1. Remove your master server from the NS records in your zone file;
> >> 2. Choose one of your slave servers and put its host name in the SOA
> >> record replacing the master server name;

> >
> > Why should this be done (step 2)?

> This is just a safety measure. Some registrars and even ccTLD registries
> require that a name server listed in SOA must be also listed in the NS
> record set. The same behavior is demonstrated by some DNS validation
> software including several online tools. Sounds like that this
> requirement isn't based on any RFC except RFC 883, page 33, para 3,
> sentence 3. The second reason for the step 2 is to maintain a truly
> "unpublished (stealth) primary" configuration.
> However, the step 2 can interfere with the dynamic DNS updates and
> sometimes with the NOTIFY mechanism. Mr. Cricket Liu, the author of "DNS
> and BIND", has commented this problem at
> http://www.menandmice.com/knowledgehub/dnsqa/20 . So it's up to an
> administrator whether to completely hide the real primary or not.

So we are in agreement about the results. That recommends an
additional step in this special case:
5. Configure your hidden primary server with an "also-notify" option
in order to send notify messages to the secondary server mentioned in
the SOA record.

Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.