[TAG] How not to do DNS, example n+1

Thu Nov 24 00:34:08 MSK 2005

Quoting Mike Orr (sluggoster at gmail.com):

> I host a website for a nonprofit.  I manage the DNS entry, my friend
> auto-transfers it to his servers, but only his servers are advertised
> at the registrar.

OK.  His are therefore authoritative, and yours aren't.

His do "slave" operation concerning zone transfers; yours serves as 
"master" in that same sense.  

It's problematic to denote either of those things through the 
terms primary/secondary, because the terms have in practice become
vague.

> That way I have the burden of editing the entry, but the public is not
> subject to the whims of my experimental box going down.

Remember:  If yours is unreachable for longer than the SOA Refresh
interval, all of your friend's authoritative servers will void the
entire zonefile as outdated.  Which would sort of defeat the purpose 
of the setup.  At bare minimum, your friend needs to know that he might
need to switch his/her /etc/bind/named.conf (or equivalent) to "master" 
operation in a hurry, if your nameserver drops off the Net.

> When I originally set up the domain, I thought that the first IP
> listed at the registrar had to be the one that contains the original
> configuration file, or the transfer to the secondary wouldn't work
> right.  Dan Wilder (whom longer-term TAG members will remember)
> explained that they're two separate issues: a secondary can transfer
> from any IP, and the registrar doesn't care which server is the
> "original". 

Here, the concept you're talking about is actually called "slave" in
current BIND9 lingo, not secondary.  (Old-timers might still use that
term from BIND4 usage, but it's confusing for reasons I've cited
elsewhere.)

> He also said that unadvertised masters are common to avoid attacks to
> the original data.  I figure this confusion between master/slave,
> primary/secondary, and authoritative/non-authoritative is common among
> readers and deserves a short explanation in a DNS overview.

Feel free to write one.  ;->  I considered that waaaaay too difficult to
make clear in a short overview.  I'm even more of that opinion than
before, at this point -- but horses for courses.

> I have my computer listed in the SOA.  From Rick's last message, that
> sounds like a mistake but no big deal.

{shrug}  You're free to put any hostname you want, there:  Basically,
it's a human-focussed information pointer, indicating where the master
zonefile is claimed to live.  No software process to my knowledge uses
that information.