A number of places use a 'stealth' (or 'hidden') master as a bit of protection from potential bad actors. It's a network domain barrier between the master (usually on an internal-only network) from a public network with potential bad actors.
For example, a dynamic update for a zone will contact the mname defined in the SOA record unless told otherwise. If you watch your DNS traffic closely on a properly configured public authoritative server, you will see many failed dynamic updates. I agree with Darcy in that it causes zones to be inaccurate from an integrity checking perspective; on a properly configured server, there should be no security issues, but it can create some piece of mind. The concept, I believe, is a hold-out behaviour older environments where the software security couldn't be trusted (or you work in a paranoid-security-culture company). Stuart > -----Original Message----- > From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of > Darcy Kevin (FCA) > Sent: Wednesday, 4 April 2018 7:42 AM > To: bind-users@lists.isc.org > Subject: [EXTERNAL] RE: Stealth NS records > > "Stealth" implies something that isn't seen in the normal course of > activity, so it's really the *wrong* word to use here, since the apex NS > records are seen during normal iterative resolution, and in fact the apex > NS records take precedence over the delegated NS records in the sense of > RFC 2181 data-ranking. So, to call them "stealth" seems mistaken, and > misleading. > > A better term than "stealth NS" would be "mismatched NS". From an > integrity-check perspective, IMO the mismatch condition should be flagged > as questionable if the apex NS records are a superset of the delegated > ones, and worrisome if completely disjoint. > > > - Kevin > > > > -----Original Message----- > From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Matus > UHLAR - fantomas > Sent: Friday, March 30, 2018 4:27 AM > To: bind-users@lists.isc.org > Subject: Re: Stealth NS records > > On 30.03.18 15:44, PANG J. wrote: > >I saw a zone check on intodns.com shows, > > > >Stealth NS records were sent: > >ns2.xxx.com > >ns1.xxx.com > > > >So what's a stealth NS record? > > https://urldefense.proofpoint.com/v2/url?u=http- > 3A__massivedns.com_blog_dns-2Dreport-2Dtutorials_what-2Dare-2Dstealth- > 2Dns- > 2Drecords_&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6 > LRGu5fmxLhrDvVJS8&m=4QsJieBpLVGXq6C7UZcSGjOoNfc4AdS3O2xn99qCzss&s=fOk8VAH > JBEQHZKHQg_MmDjog8kkvcyx2MxaUKeC7vXo&e= > > maybe I could explain more deeply if you have sent the domain. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; > https://urldefense.proofpoint.com/v2/url?u=http- > 3A__www.fantomas.sk_&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab > 5xo_vLbUE6LRGu5fmxLhrDvVJS8&m=4QsJieBpLVGXq6C7UZcSGjOoNfc4AdS3O2xn99qCzss > &s=vCrjKTQXZ0_8Hbsun2FSpJ3jDWde90bS-EUlioBPFQ0&e= > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Linux IS user friendly, it's just selective who its friends are... > _______________________________________________ > Please visit https://urldefense.proofpoint.com/v2/url?u=https- > 3A__lists.isc.org_mailman_listinfo_bind- > 2Dusers&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6LRG > u5fmxLhrDvVJS8&m=4QsJieBpLVGXq6C7UZcSGjOoNfc4AdS3O2xn99qCzss&s=GYBqR0XLzb > LyreHLjhVv8W55ubpSa-93WNQlX1JXnZA&e= to unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://urldefense.proofpoint.com/v2/url?u=https- > 3A__lists.isc.org_mailman_listinfo_bind- > 2Dusers&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6LRG > u5fmxLhrDvVJS8&m=4QsJieBpLVGXq6C7UZcSGjOoNfc4AdS3O2xn99qCzss&s=GYBqR0XLzb > LyreHLjhVv8W55ubpSa-93WNQlX1JXnZA&e= > _______________________________________________ > Please visit https://urldefense.proofpoint.com/v2/url?u=https- > 3A__lists.isc.org_mailman_listinfo_bind- > 2Dusers&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6LRG > u5fmxLhrDvVJS8&m=4QsJieBpLVGXq6C7UZcSGjOoNfc4AdS3O2xn99qCzss&s=GYBqR0XLzb > LyreHLjhVv8W55ubpSa-93WNQlX1JXnZA&e= to unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://urldefense.proofpoint.com/v2/url?u=https- > 3A__lists.isc.org_mailman_listinfo_bind- > 2Dusers&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6LRG > u5fmxLhrDvVJS8&m=4QsJieBpLVGXq6C7UZcSGjOoNfc4AdS3O2xn99qCzss&s=GYBqR0XLzb > LyreHLjhVv8W55ubpSa-93WNQlX1JXnZA&e= _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
