secondary on different network

Mon Sep 25 19:07:31 UTC 2000

On Sat, Sep 23, 2000 at 04:35:26PM -0400, Bob Vance wrote:
> Nobody addressed this yesterday and I'm not sure that it made it into
> the
> list, so I'm reposting it.

Well, that was just because you had pretty much said it all.  ;-}

> >add an NS record for your secondary to make it authoritative.
> 
> I was under the impression that adding the NS record, as stated, does
> *not* make the secondary authoritative.  The fact that he is a slave
> already makes him think that he's authoritative -- if he gets queried,
> he'll respond authoritatively.

If a server, master or slave [it's irrelevant], has a syntactically
valid zone file and a declaration of the zone file, then it's
authoritative for that zone.  But to let the resolvers out there know
the list of servers - which, to the resolver, are all PEER servers -
they must be declared in NS records.  So, an NS record DECLARES a
server as one of the authoritative peer servers.

There may be undeclared authoritative servers.  They will only serve
resolvers that are pointing at them by default.  They will also not get
updated by the normal "in-band" means when the server sends a notify.
They will only update by out-of-band means.  If the server is set up as
a "slave", the zone may expire and it may request an update.  Or it may
be listed in an "also-notify" list for that zone.

Or it may be lying, and never get updated.

> Out of the box, nothing *has* to be done on the master (primary).
> Set up the secondary server as stated by Nitin, and that's enough,
> unless
> you have some kind of security on the master or on intervening routers
> and/or firewalls that won't allow the slave to do an xfer.
> 
> The NS record just allows the server in question to be included in the
> list of authoritative servers for that sub-domain and thus enables other
> servers to find out about him and to query him to handle a recursive
> request or to refer non-recursive queries to him.
> Of course, this could be a pretty handy thing to have, like, say, on ...
> the Internet :)
> 
> But in a small, internal network, you might just be adding a secondary
> and *could* have the clients list the 2 servers in the resolver
> nameserver list and make no change on the primary.  Nobody else might
> need to know about the new server.
> 
> Not that it's *that* much effort to add the NS record into the zone cut
> of the parent and the zone data of the authority -- assuming that you
> are
> the admin on them.
> 
> OK, gurus.  Is there any validity to my above ramblings ?

Remember that BIND requires that a valid zone have at least one NS
record.  I think that may even be in an RFC, but I'll leave that for
others to look up.

-- 
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.