stealth server

[Barry Margolin]

In article <9i4htl$72k at pub3.rc.vix.com>,
Barry Finkel  <b19141 at achilles.ctd.anl.gov> wrote:
>I have an open trouble ticket with MS on this serial number issue.

Great!  I've been telling our customers to report the problem to MS.  I
wonder if you could tell me the trouble ticket #, so that I could tell
our customers to just reference this in their report.

>As the subject line of the original posting was "stealth server", I
>have another W2k-related comment.  A W2k server cannot be a stealth
>server, as the MS code will add an NS record for the W2k DNS server
>if one does not exist.  If you delete the NS record, the MS code will
>sense the fact and re-add the NS record.

Since a stealth slave isn't advertised in the delegations or by the
registered authoritative servers, no one outside the organization will ever
query it, so they'll never cache that NS record.

But it does make it impossible to use a W2K as a hidden master.

Another server that has a problem with stealth slaves is Raptor firewall.
It uses the NS records as its allow-transfer list.  However, our slave DNS
architecture makes heavy use of a stealth server: we have one machine that
pulls zone transfers from all our customer masters, and then the advertised
slave servers pull from that machine (the benefit of this is that when a
master is down, only one machine is wasting time trying to connect to it).
We don't want this intermediary advertised in NS records, but it's tricky
to convince Raptor to allow it to pull transfers without this.

>One other related topic that I posted a number of months ago and to 
>which I did not receive a definitive answer --  In a W2k multi-master
>AD-integrated environment, each DNS server has its own copy of the
>zone (stored in the AD).  But the SOA record in each copy is
>different; each DNS server has its own name in the SOA as the master.
>Does this violate any DNS RFC?  My feeling is that it probably does,
>as two zones with the same content except the SOA record are NOT the
>same zone, and it is illegal to have a zone on two masters that
>differs.

The DNS protocols provide a mechanism to implement consistency among
authoritative servers, but I'm not sure they actually *require* it.  In
fact, it's not uncommon for different authoritative servers to have
different views of a zone, as might be done in some load balancing schemes
(each nameserver returns the A record for the webserver nearest it).  And
there are nameservers that return different answers for different clients.

And in the case of the SOA MNAME field, since hardly anything uses it,
there's no practical need for it to be consistent across servers.  The only
thing it's currently used for is dynamic updates, and in MS's case I
suspect they intentionally vary it so that clients will send dynamic
updates to the local server they're using, and then AD will be used to
maintain consistency across all the servers.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.