NS also in SOA doesn't get NOTIFY
Chris Thompson
cet1 at cam.ac.uk
Thu Oct 27 16:57:24 UTC 2011
On Oct 27 2011, Kevin Darcy wrote:
>On 10/27/2011 11:02 AM, Jonathan Stewart wrote:
>> Hello,
>>
>> Recently I set up a group of nameservers using a hidden master,
>> visible slaves configuration.
>>
>> ns0 - hidden master
>> ns1, ns2, ns3 - visible slave servers
>>
>> So I set the SOA and NS records like this
>>
>> zone.example IN SOA ns1.zone.example. hostmaster.example.com (
>> 1 ; serial number
>> 3600 ; refresh [1h]
>> 600 ; retry [10m]
>> 86400 ; expire [1d]
>> 3600 )
>>
>> IN NS ns1.zone.example
>> IN NS ns2.zone.example
>> IN NS ns3.zone.example
>>
>>
>> Thus, the hidden master, ns0, does not appear in the SOA or NS records.
>>
>> The problem is that NOTIFY messages do not get delivered to ns1,
>> because it's the primary server in the SOA record. If i change the
>> SOA to have ns0, then NOTIFYs work, ns1 updates immediately. I don't
>> like this solution because my hidden master is no longer hidden when
>> I'm publishing it in the SOA.
>>
>> Also, is this normal/expected behaviour? How can i get ns0 (and the
>> others) to NOTIFY ns1 when the serial is incremented? Must i use an
>> explicit {also-notify} ?
>
>Why not put something completely different -- i.e. neither the hidden
>master nor any of the published NSes -- in the SOA.MNAME? Besides
>NOTIFY, about the only other thing that cares about SOA.MNAME is Dynamic
>Update, and that usually requires special handling in a hidden-master
>scenario anyway...
Alternatively, specify "notify-to-soa yes;" in named.conf. See the ARM:
| notify-to-soa
|
| If yes do not check the nameservers in the NS RRset against the
| SOA MNAME. Normally a NOTIFY message is not sent to the SOA MNAME
| (SOA ORIGIN) as it is supposed to contain the name of the ultimate
| master. Sometimes, however, a slave is listed as the SOA MNAME in
| hidden master configurations and in that case you would want the
| ultimate master to still send NOTIFY messages to all the nameservers
| listed in the NS RRset.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list