"Hidden Master" visible slave
robertwessel2 at yahoo.com
robertwessel2 at yahoo.com
Thu Jan 12 04:26:48 UTC 2006
carcarx at hotmail.com wrote:
> No, it's not a big-budget Chinese kung-fu movie. ;-)
>
> We want to set up a DNS server for departmental administrators to
> maintain
> their own zones, but not "mess" with our primary nameservers.
>
> Our idea is to have that "departmental" nameserver master some zones
> with our primary nameservers being the slaves for those zones, but
> we don't want the departmental server to be visible to the internet.
>
> Since the authoritative server for those zones won't be visible the
> clients should look to the visible ones (with some delay).
>
> Any docs about how to automatically avoid referrals to the departmental
> server (aside from tcp/ip rerouting trickery).
Unless I'm missing something...
The secondaries (slaves) *are* authoritative, they just don't have the
zone databases stored locally. Just set up all your "visible" name
servers to load the zones from your "departmental" name servers, to
which *nothing* refers. So long as there are no NS records pointing to
the departmental servers, nothing will normally ever try to query them
(excepting, of course, the zone transfer requests from the slaves).
You may well want to hide the departmental servers from the world with
appropriate firewall rules, since they could still be referenced
explicitly.
The usual issues about the slaves polling for updated zones and zone
serial number maintenance apply, of course.
More information about the bind-users
mailing list