Is the domain name after SOA important?

Mark_Andrews at iengines.com Mark_Andrews at iengines.com
Thu Oct 28 21:15:10 UTC 1999 

> Hi All,
> 
> > Joseph S D Yao <jsdy at cospo.osis.gov> wrote :
> >
> >If you have more than one name server, the one where you actually
> >update the tables with an editor [or whatever] must be the name after
> >the SOA.  (This is now called the "master" server, rather than the
> >"primary" server.)  Plus, humans reading the SOA will expect that the
> >host named there is in fact one of the zone's name servers, albeit
> >perhaps hidden.
> 
> Now, I have been faced with a requirement of the Dutch ccTLD registrar in thi
> s 
> respect :
> 
> The Dutch ccTLD registrar requires/demands that the name server mentioned in 
> the 
> SOA record is the same as the "primary" name server you mention in the 
> registration request for your domain.

	This is not a reasonable request to be made by a public
	registrar.

	A public registar should be ensuring that the nameservers
	listed are functioning as nameservers for the zone.  It
	should also be ensuring that the names given don't refer
	to CNAMES.  Apart from this anything else should be a
	warning and the registration should proceed.

	The following are NOT reasonable grounds for stopping a
	registration, make them warnings if you like:
	1. the servers listed failing to translate their IP addresses
	   into their names.
	2. failing to have a one of the listed nameservers also be
	   the origin field of the SOA record.



> 
> Now, we have the master server behind a firewall and 2 slave servers running 
> on 
> our firewall. We want only the 2 name servers on the firewalls to be known to
>  
> the Internet community. We had the master name server mentioned in the SOA of
>  
> the master server and obviously this ripples through to the SOAs of the slave
>  
servers on the bastions. This results in an error for the Dutch ccTLD registrar
>  
> and they will not register your domain. Because of this rule, we are forced t
> o 
> put the name of the external slave server in the second field of the SOA reco
> rd 
> of our internal master name server.
> 
> Can someone tell me whether :
> 
>    - Is our original set up good practice ?

	It reasonable practice.  The official name for this configuration
	is "stealth primary master".

>    - In the scenario described above, is this a sensible rule of the Dutch cc
> TLD
>      Registrar ?

	No, as it preclude perfectly good configurations.

>    - Is this good practice of the ccTLD registrar ?

	Performing checks is.  Performing this particular check and not
	making it a warning is not.

>    
> In our plans to set up a split-meshed DNS environment, where the Internet 
> visible/registered name servers are all slave servers on bastion hosts, this 
> interferes with our policy that we intend to apply in other countries.
> 
> Many thanks,
> 
> Geert
> 
> 
> 
> >
> >You could in fact set up the SOA in this manner:
> >@		IN SOA	ns1 hostmaster (
> >	...
> >)
> >
> >Then, if your origin is "foo.com", the name server will be perceived to
> >be "ns1.foo.com" and the "responsible party" address will be perceived
> >to be "hostmaster at foo.com".  Similarly, "bar.com" => "ns1.bar.com" and
> >"hostmaster at bar.com".
> >
> >This presupposes that everything else in the zone file should be
> >identical modulo the domain name; but that seems to be what you are
> >suggesting.
> >
> >--
> >Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
> >COSPO/OSIS Computer Support					EMT-B
> >-----------------------------------------------------------------------
> >This message is not an official statement of COSPO policies.
> >
> 
> 
--
Mark Andrews, Internet Engines Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at iengines.com

More information about the bind-users mailing list