Secondary DNS Server

Wed Sep 27 23:07:43 UTC 2006

Pilu wrote:
> Hi,
>
> I am currently upgrading my Bind DNS Server version 4.1 to 9.3 ...
>
> My secondary DNS server is hosted by our internet providers and i would 
> like to be sure that zone-transfers will work perfectly after the migration.
>
> On my named.conf file, i have defined this:
>
> key "rndc-key" { algorithm hmac-md5; secret "jdhfjddf@@{#\{#\"; };
>
> controls {
>      inet 127.0.0.1 allow { any; } keys { "rndc-key"; };
> };
>
>
> acl "secondary_servers" {
> 	194.98.65.69;
> 	194.98.65.169;
> 	192.76.144.17;
> 	194.128.171.100;
> };
>
> options {
> 	
> 	check-names master fail;
> 	check-names response ignore;
> 	check-names slave warn;
> 	directory "e:\named\zones";
> 	allow-transfer {"secondary_servers"; };
>
> 	query-source address * port 53;
> };
>
> In my zone files, i have defined secondary server ip as NS
>
> Can you please confirm that this configuration is correct?
>
>   
I'd probably just start simply -- maybe just the "directory" statement 
-- and then add the other features incrementally in phases. You should 
only lock down your query-source if you have a firewall and/or a 
firewall ruleset that requires it. As for rndc controls, check-names 
settings, and restricting zone transfers, those are all just matters of 
local opinion/preference/practice/convention, and I won't comment on 
their "correctness".

If you want to check the syntax of the named.conf file at any point in 
its evolution, then you can use the named-checkconf utility for that.

                           - Kevin