There's no requirement that the contents of SOA.MNAME have a matching A
record in the zone. Even if such a formal requirement existed, you might
be able to satisfy it by putting an A record of 0.0.0.0 in the zone.
That doesn't expose much :-)
If you're paranoid about zone expiration, tune the EXPIRE setting really
high. Just be aware, if you do that, then if you change providers some
day, your old provider may be serving up a stale version of the zone for
a while, even if you stop zone transfers to them.
For that matter, you're not limited to using standards-based
master/slave replication. Many folks use rsync to keep their slave zone
files in sync with their master (you'd define the zone as "master"
everywhere and then use some out-of-band mechanism whenever it changes,
e.g. rndc, to tell the "slaves" to reload the zone). Many commercial DNS
systems (e.g. Infoblox) have their own proprietary replication
mechanisms built-in. Once you depart from standards-based master/slave
replication, then zone expiration has only the meaning that your other
replication mechanism assigns to it, or perhaps no meaning at all.
I've been running a "hidden master" setup for decades, for all of our
external-facing zones. It works well. I can't imagine doing it any other
way -- am I going to expose my real primary master to the Internet? No
thanks.
- Kevin
On 11/7/2013 1:52 PM, Jonathan Reed wrote:
I'd like my global BIND server to slave a copy of my zone from the
master being hosted on my LAN. It appears that this is called a
stealth setup. I figured I'd achieve this by having the secondary on
the internet slave a view, but I've read that this is not ideal from a
security standpoint. The argument being that the zone file contains an
IP address of it's master. So whats the best way to do this?
A stealth scenario also seems susceptible to a higher chance where the
connection is lost between master and slave (complicated by a LAN
firewall/ISP in between) and the expire exceeding. We're hosting our
global DNS through a provider, so there doesnt seem like an easy way
to monitor and confirm a zone transfer from our master alone. Any
recommendations?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users