Confused about a basic concept

Warren Kumari warren at kumari.net
Wed Jun 5 14:23:10 UTC 2013 

On Jun 5, 2013, at 9:02 AM, Bryan Harris <bryanlharris at me.com> wrote:

> Hi all,
> 
> I think I may be confused about a very basic DNS concept.  

Many people are, but most don't a: know or B: admit it :-P

> Sorry if this has been asked before.
> 
> 1. I have a master and two slaves.
> 2. The master server is the SOA for my zone.  The SOA record points to the master server.
> 3. Each of the two slaves are authoritative for my zone.
> 4. There are 2 NS records for my zone.  The first NS = slave1 and the second NS = slave2.
> 5. The Master server is not listed in the NS records for my zone.
> 6. The master does not receive any queries from the clients.

Yup, this sounds right -- this is usually called a "hidden master" setup.
Some folk do this, some simply publish all of the servers in the NS set. Entirely up to you.

> 7. The slaves receive queries from the clients.
> 8. The master -> slaves relationship is via tcp/53 (notifies & zone transfers)
> 9. The slaves -> clients relationship is via udp/53 (queries)
> 
> Is this correct so far?

Yup, mostly.

You should probably allow both TCP and UDP between master and slave, and also between slaves and clients.
While most of the client <-> slave traffic is UDP, some responses may be too big for UDP and fail back to TCP  (especially with DNSSEC, or RRL dos protection)


>  I'm being told "our authoritative DNS servers should not receive any queries",

Er, this is where it all goes screwy. Maybe whoever said that actually meant:

1: The hidden master should not receive any queries (which is kinda what you said in 6).

2: Authoritative DNS servers should not also be recursive servers. This is a best common practice (for security reasons, manageability, etc.)
Maybe he meant "our authoritative DNS servers should not receive any ***recursive*** queries" -- that's a fairly valid view.

3: A duck (also know as, he's a nut).


> as well as "DNS slaves respond to queries".  These statements seem like a conflict to me, but maybe I'm simply confused?

Or he is...

> 
> 
> 
> I don't see how a slave could respond to a query unless it's authoritative.  The only thing I can imagine is adding some more caching servers just for queries and have them forward+recurse to the authoritative slave servers (but they're not slaves themselves).  But even in that case, the authoritative servers would still need to respond to queries, no?  Otherwise how would the caching servers get any answers in the first place?

It sounds like he's muddled. Your slaves are authoritative (actually, DNS doesn't really know the difference between master and space), they answer queries. I think there is a miscommunication here, or he's just wrong.

W

> 
> Bryan
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
There were such things as dwarf gods. Dwarfs were not a naturally religious species, but in a world where pit props could crack without warning and pockets of fire damp could suddenly explode they'd seen the need for gods as the sort of supernatural equivalent of a hard hat. Besides, when you hit your thumb with an eight-pound hammer it's nice to be able to blaspheme. It takes a very special and straong-minded kind of atheist to jump up and down with their hand clasped under their other armpit and shout, "Oh, random-fluctuations-in-the-space-time-continuum!" or "Aaargh, primitive-and-outmoded-concept on a crutch!"
  -- Terry Pratchett

More information about the bind-users mailing list