advantages/disadvantages of hidden vs. real primary (on a 1 MBit link)

Tue Nov 13 18:51:39 UTC 2001

In article <9srord$ldi at pub3.rc.vix.com>,
Frank Joerdens  <frank at joerdens.de> wrote:
>Greetings. I've been running a hidden primary on a 1 MBit link for 3
>years, and so far, up until very recently that is, it's worked pretty
>well - for our purposes anyway. Now our provider's gone belly-up and it
>turns out that in this special case, it can be a real drag. While the
>physical link is still operational and reasonably stable, their
>nameservers have become really unstable since they filed for bankruptcy
>(presumably because many of the tech people have already left the
>sinking ship). Now that we're switching to the new provider, I am
>wondering whether not just to have a real primary. The arguments against
>it are a) traffic which may bog down the 1 MBit link and b) availability
>(we don't have an autonomous system). 

Another advantage is security.  You can put the hidden primary behind a
firewall, and only allow the ISP's slaves to communicate with it.

I wouldn't worry too much about the traffic.  Unless your domain is really
popular, DNS is not very much traffic.  And if your slave servers normally
respond faster, most of the queries will go to them anyway.

Availability also isn't a big issue.  If the slave servers are off-site,
they'll be used if your connection goes down (I assume by "we don't have an
autonomous system" you meant "we don't have a backup connection").

>				       The argument for it is ease of
>configuration (the tech person at the new provider's I talked to today
>didn't really know what it was, had to admit that he was out of his
>depth and that he would have to ask a more knowledgeable colleague; the

The people operating the slave servers don't have to do anything!  Hidden
primary is implemented entirely by the administrator of the master server
and the person who submits the domain registration.  The slave servers are
set up the same as if the primary wasn't hidden.

>old provider never manged to get classless in-addr-arpa delegation to
>work although I did point them to the relevant RFC). Hence my questions
>are: Do these arguments really hold any water, and, are there any
>others? What's the current wisdom on this matter?

We're using a hidden primary because it means that all the advertised
servers are configured identically.  If one of them dies we can recreate it
easily from a jumpstart CD, or we can use a hot spare that just needs its
IP address reconfigured.  If the master dies, all the advertised servers
will continue to operate (we won't be able to push out changes until the
master is rebuilt, but that's not as critical).

-- 
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.