Best Practices for Authoritative Servers
Baird, Josh
jbaird at follett.com
Thu Jan 31 22:58:44 UTC 2008
Chris,
Sorry for the terminology confusion. Let me try to explain again:
I have three authoritative servers: 172.20.1.1, 172.20.1.2, 172.20.1.3. These three servers are listed in the NS RRset for all of my internal domains. They do not allow recursion. 172.20.1.1's zones are defined as masters:
zone "blah.com"{
type master;
file "blah.com";
};
The other two authoritative servers contain zones that are slaves to 172.20.1.1:
zone "blah.com"{
type slave;
masters { 172.20.1.1; };
file "blah.com";
};
Now, I have several resolving/recursive servers that contain these zones as well that devices use for resolution. I could get the same result by using stub zones, which I might change to in the future. The zone statements on the resolving servers are as follows:
zone "blah.com"{
type slave;
masters { 172.20.1.1; };
file "blah.com";
};
My question was, are the zone statements on the resolving servers correct? Should I include all three of the authoritative servers in the masters { } substatement in the zone definitions of the resolving servers? Would there be any additional benefit of doing this?
Thanks -- hope this was a bit clearer,
Josh
________________________________
From: bind-users-bounce at isc.org on behalf of Chris Buxton
Sent: Thu 1/31/2008 5:14 PM
To: John Wobus
Cc: Bind-Users List
Subject: Re: Best Practices for Authoritative Servers
A server is authoritative for a zone if it has a complete, non-cached
copy of the zone. In other words, if it is master or slave for that
zone, and if the zone loads correctly, then it is authoritative. This
is indicated by the 'aa' flag in a response from the server.
It does not matter whether any NS record in the zone refers to the
server by name. In fact, a name server doesn't necessarily know its
own name(s), nor does it normally need to do so. I don't believe the
BIND name server makes any attempt to figure out a name for its host
machine, for example.
- --
To the original poster, I have to say, the question is unclear. In
what way are you including name servers in the zone definitions? What
zone definitions? It is always clearest to other people when
discussing BIND if you use standard BIND terminology, even if that
terminology does not come naturally to you. Therefore, you might
discuss configuration items such as a "zone statement", a "masters
substatement inside a slave zone statement", a zone's "apex
records" (the records in the zone that have the same name as the zone
itself - this one's not too commonly used, I think), etc.
Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone: +354 412 1500
Email: cbuxton at menandmice.com
www.menandmice.com
Men & Mice
We bring control and flexibility to network management
This e-mail and its attachments may contain confidential and
privileged information only intended for the person or entity to which
it is addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any retention, dissemination,
distribution or copy of this e-mail is strictly prohibited. If you
have received this e-mail in error, please notify us immediately by
reply e-mail and immediately delete this message and all its attachment.
On Jan 31, 2008, at 12:39 PM, John Wobus wrote:
> This brings to mind a point I am confused about. What causes bind9
> to mark a query-response as authoritative? Is it sufficient that the
> data come from a zone configured in this nameserver to be either
> master or slave? Or, does it matter if there exists an NS record that
> points
> at the nameserver itself? The specific point is whether, you can
> run a caching server also that transfers some select zones, yet answer
> queries for names in these zones as if they were cached.
>
> I couldn't find a quick answer with google or any of my books.
>
> John
>
> On Jan 31, 2008, at 2:47 PM, Baird, Josh wrote:
>
>> I currently have three authoritative (non-recursive) internal
>> nameservers (these servers are listed in the NS RRset for all of my
>> internal domains). I also have several resolving/caching servers
>> which
>> hold the slave zones for these authoritative servers. On these
>> resolving servers, the zone definitions only define one of the three
>> authoritative servers. Would it be best to include all three
>> authoritative servers in the zone definitions for the slaves? What
>> benefit would I gain? Is there even a point in having three
>> authoritative servers, when only one is listed in the zone
>> definitions
>> for the slaves?
>>
>>
>> I appreciate any input.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Josh
>>
>>
>>
>
>
More information about the bind-users
mailing list