denise.brisson@hrsdc-rhdsc.gc.ca wrote:
> We are re-evaluating the way our DNS server are set-up. We currently have one primary and one slave DNS server. Each of them can resolve any domain names that they are authoritative for (approx 175 domain names).
>
> I'm wondering if it is possible to only have the slave servers (2 or 3 of them) answering all queries and leaving the primary out of it.
>
> Is it safe to do this type of set-up. Any advise appreciated.
>

Yes, this is perfectly normal, the so-called "hidden master" setup. Just
leave the primary master out of the NS records and any resolver configs
and no-one should be sending normal queries to it. It should only be
getting refresh queries and zone-transfer requests from its slaves.

Note, however, that if you use Dynamic Update at all, the presence of
the primary master in the SOA.MNAME of the relevant zone(s) might not be
sufficient identification of the Dynamic Update master if that name is
missing from the NS records of the zone(s). You might need to _force_
the client to use the primary master if it's "hidden" in this way. In
nsupdate, for instance, you'd use the "server" command to do that. Every
Dynamic Update client has -- or should have -- its own mechanism for
forcing the Dynamic Update requests to go to a particular place.


- Kevin