Recommended DNS notify method for hidden master
Matus UHLAR - fantomas
uhlar at fantomas.sk
Mon Aug 16 18:24:27 UTC 2010
On 16.08.10 13:48, recvfrom at gmail.com wrote:
> I have several internal DNS servers, one of which is a hidden master
> for external zones. The nameserver listed in the SOA RR is in a DMZ.
> The internal DNS servers forward all queries for non-authoritative
> zones to a DNS server in the DMZ that will perform recursive queries,
> but the internal nameservers are restricted from sending queries or
> notifications to outside nameservers (and even if they were, it's
> unlikely that a third-party slave would accept notifies from anything
> but the master as listed in the SOA RR). What is the recommended
> method to configure DNS notify for the internal hidden master? I
> recognize that I can specify 'notify-to-soa yes;' in the view
> statement (in which all of these zones are placed; or in individual
> zone statements), but that will still result in attempted notification
> to all of the other NS RRs for the zone. I'd prefer that the hidden
> master notify the NS listed in the SOA RR, and that nameserver issue
> notification to all of the other NS RRs after it has pulled the
> zone(s). Will 'notify-to-soa yes;' still initiate a notification even
> if I turn off notify via 'notify no;'?
I would recommend you:
- put real (hidden) master to SOA
- put "notify explicit; also-notify { slave-1; slave-2; };" into its
configuration
so the hidden master will only send notifies to your public slaves,
abd the public slave(s) will send notifies to third party slaves.
...if you have some third-party slaves, they _must_ fetch the zone from one
of your servers, your public slaves if not the hidden master. So they can
send notifies.
And in fact there's nothing bad in your hidden master sending the notifies
to all NSs...
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #99999: Out of error messages.
More information about the bind-users
mailing list