Hello Andrey! Andrey G. Sergeev (AKA Andris) <[EMAIL PROTECTED]> wrote on 18 Aug 2008 0:05: > Sun, 17 Aug 2008 19:20:45 +0200 Frank Behrens wrote: > > >> Assuming that all of your 3 secondaries have a good Internet > >> connectivity, I suggest you to establish a so-called "an unpublished > >> primary" scheme. The necessary steps are: > >> 1. Remove your master server from the NS records in your zone file; > >> 2. Choose one of your slave servers and put its host name in the SOA > >> record replacing the master server name; > > > > Why should this be done (step 2)? > > This is just a safety measure. Some registrars and even ccTLD registries > require that a name server listed in SOA must be also listed in the NS > record set. The same behavior is demonstrated by some DNS validation > software including several online tools. Sounds like that this > requirement isn't based on any RFC except RFC 883, page 33, para 3, > sentence 3. The second reason for the step 2 is to maintain a truly > "unpublished (stealth) primary" configuration. > > However, the step 2 can interfere with the dynamic DNS updates and > sometimes with the NOTIFY mechanism. Mr. Cricket Liu, the author of "DNS > and BIND", has commented this problem at > http://www.menandmice.com/knowledgehub/dnsqa/20 . So it's up to an > administrator whether to completely hide the real primary or not.
So we are in agreement about the results. That recommends an additional step in this special case: 5. Configure your hidden primary server with an "also-notify" option in order to send notify messages to the secondary server mentioned in the SOA record. -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available.
