> Server B is a regular DNS server set up for caching and running > BIND. It's the one that will be the public face for the blacklist > providing caching for Server A so as not to load down Server A.
Make B -- and, believe me if you are operating a public blacklist, C and D and E as well :) -- a secondary to primary A, with A thus your unpublished "stealth primary" for the zone. B, C, D, E are the published authoritative NSs for the zone, while A is "secretly," as you put it, the truly authoritative source of the zone data served to the world by B, C, D, E. This is a good way to take advantage of the flexibility/updatability of RDBMS backends without worrying about the RDBMS-backed server seeing any direct traffic. --Sandy
