There's no requirement that the contents of SOA.MNAME have a matching A record in the zone. Even if such a formal requirement existed, you might be able to satisfy it by putting an A record of 0.0.0.0 in the zone. That doesn't expose much :-)

If you're paranoid about zone expiration, tune the EXPIRE setting really high. Just be aware, if you do that, then if you change providers some day, your old provider may be serving up a stale version of the zone for a while, even if you stop zone transfers to them.

For that matter, you're not limited to using standards-based master/slave replication. Many folks use rsync to keep their slave zone files in sync with their master (you'd define the zone as "master" everywhere and then use some out-of-band mechanism whenever it changes, e.g. rndc, to tell the "slaves" to reload the zone). Many commercial DNS systems (e.g. Infoblox) have their own proprietary replication mechanisms built-in. Once you depart from standards-based master/slave replication, then zone expiration has only the meaning that your other replication mechanism assigns to it, or perhaps no meaning at all.

I've been running a "hidden master" setup for decades, for all of our external-facing zones. It works well. I can't imagine doing it any other way -- am I going to expose my real primary master to the Internet? No thanks.

                                    - Kevin


On 11/7/2013 1:52 PM, Jonathan Reed wrote:
I'd like my global BIND server to slave a copy of my zone from the master being hosted on my LAN. It appears that this is called a stealth setup. I figured I'd achieve this by having the secondary on the internet slave a view, but I've read that this is not ideal from a security standpoint. The argument being that the zone file contains an IP address of it's master. So whats the best way to do this?

A stealth scenario also seems susceptible to a higher chance where the connection is lost between master and slave (complicated by a LAN firewall/ISP in between) and the expire exceeding. We're hosting our global DNS through a provider, so there doesnt seem like an easy way to monitor and confirm a zone transfer from our master alone. Any recommendations?


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to