NS also in SOA doesn't get NOTIFY

Chris Thompson cet1 at cam.ac.uk
Thu Oct 27 16:57:24 UTC 2011 

On Oct 27 2011, Kevin Darcy wrote:

>On 10/27/2011 11:02 AM, Jonathan Stewart wrote:
>> Hello,
>>
>> Recently I set up a group of nameservers using a hidden master,
>> visible slaves configuration.
>>
>> ns0 - hidden master
>> ns1, ns2, ns3 - visible slave servers
>>
>> So I set the SOA and NS records like this
>>
>> zone.example  IN SOA ns1.zone.example. hostmaster.example.com (
>>       1            ; serial number
>>       3600         ; refresh   [1h]
>>       600          ; retry     [10m]
>>       86400        ; expire    [1d]
>>       3600 )
>>
>>        IN NS  ns1.zone.example
>>        IN NS  ns2.zone.example
>>        IN NS  ns3.zone.example
>>
>>
>> Thus, the hidden master, ns0, does not appear in the SOA or NS records.
>>
>> The problem is that NOTIFY messages do not get delivered to ns1,
>> because it's the primary server in the SOA record.  If i change the
>> SOA to have ns0, then NOTIFYs work, ns1 updates immediately.  I don't
>> like this solution because my hidden master is no longer hidden when
>> I'm publishing it in the SOA.
>>
>> Also, is this normal/expected behaviour?  How can i get ns0 (and the
>> others) to NOTIFY ns1 when the serial is incremented?  Must i use an
>> explicit {also-notify} ?
>
>Why not put something completely different -- i.e. neither the hidden 
>master nor any of the published NSes -- in the SOA.MNAME? Besides 
>NOTIFY, about the only other thing that cares about SOA.MNAME is Dynamic 
>Update, and that usually requires special handling in a hidden-master 
>scenario anyway...

Alternatively, specify "notify-to-soa yes;" in named.conf. See the ARM:

| notify-to-soa
|
|   If yes do not check the nameservers in the NS RRset against the
|   SOA MNAME. Normally a NOTIFY message is not sent to the SOA MNAME
|   (SOA ORIGIN) as it is supposed to contain the name of the ultimate
|   master. Sometimes, however, a slave is listed as the SOA MNAME in
|   hidden master configurations and in that case you would want the
|   ultimate master to still send NOTIFY messages to all the nameservers
|   listed in the NS RRset. 

-- 
Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list