secondary DNS trickery

Kevin Darcy kcd at daimlerchrysler.com
Tue Sep 5 23:20:43 UTC 2000 

Sorry, there doesn't appear to be any standardized way to do this. If
you the slave server should have an *identical* zone configuration to
the master, then you can just use your favorite secure file-copy
mechanism (e.g. rsync over ssh, as Dan Bernstein recommends) to copy
*both* the zone files and the named.conf file to the slave. In this
case, the slave would think it is a master, and there wouldn't be any
"traditional" zone transfers going on at all -- everything would happen
through the secure file-copy mechanism.

Failing that, maybe you could do something similar with an
$INCLUDE file, i.e. have an $INCLUDE file on the master which just
contains the zones the other firm should slave, and just copy the
zonefiles along with the $INCLUDE file whenever something changes.
Again, the slave would think it is a master, and there wouldn't be any
need for zone transfers.

Other than that, the only way would be to have some sort of script
running on the master and/or the slave, which would trigger when a new
zone was added to the master and automatically create the slave
definition in the slave's named.conf. There are numerous ways to
implement this -- my pet idea, unimplemented, is for the slave to
trigger off the receipt of a new NOTIFY from the master. But be careful
about security here: you don't want to give random machines on the
Internet the ability to act as master for arbitrary domains. At the very
least, independently verify that the machine sending the NOTIFY really
is a delegated nameserver for the domain. To be even more paranoid,
verify that the slave is also a delegated nameserver for the domain
(this level of paranoia would make the auto-creation of "stealth" slaves
problematic, however).

You could use some other mechanism for the slave to discover
newly-created zones on the master, of course, e.g. TXT records in some
agreed-upon location...


- Kevin

Robert Hill wrote:

> Hello,
>
> This is probably something that wasn't meant to be
> done with DNS, but I thought I'd ask (cos it would
> definitely make life easier for me).
>
> I have a primary and secondary dns server with
> multiple domains on each. The secondary dns server is
> with another firm and I have to inform them each time
> I add a domain to the primary (mine) so that they will
> add the domain to the secondary (theirs).
>
> Is there a directive that I can enter into the primary
> and secondary dns servers that will add a domain to
> the secondary after I've added it to the primary?
>
> Thanks,
>
> Rob Hill
> thesossed at yahoo.com
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Mail - Free email you can access from anywhere!
> http://mail.yahoo.com/

More information about the bind-users mailing list