Subject: Re: dig and DNS authority
To: John Maier <jmaier@midamerica.net>
From: Johan A. van Zanten <johan@ewranglers.com>
List: netbsd-users
Date: 02/19/2002 14:19:21
---In message <05dd01c1b978$e255ea60$c814a8c0@jmaier>
>humm, that's sort of how it reads in the bind stuff at which I've been looking...
>
>it seems that primary/secondary are whois concepts and a dig against the root server just
>returns a list of authoritive servers.
The primary name server for a domain does not have to be listed in the
whois DB. It's just a list of hosts someone says will answer queries for
the domain.
Quick example.
These three UNIX hosts running BIND 8 will all answer DNS queries for
stooges.org :
moe.stooges.org
curly.stooges.org
larry.stooges.org
moe is configured as the primary name server. curly and larry are
secondaries. When the admin wants to make a change to the DNS records, he
edits the files on moe, and then does:
ndc reload
...which causes moe to notify curly and larry that there is a later
version of the zone file for them to come get.*
However, the "outside world" does not need to know moe even exists. It's
perfectly possible that curly and larry are the only hosts listed in the
whois DB.
So the only place where one could actually see the difference between the
name servers is in the named.conf file, used by named. (Typically in
/etc.) The master will have a different file than the secondaries.
Careful reading of the SOA (Start of Authority) record can yield some
useful info, but there's no guarantee that the information actually
reveals the "primary" name server. The SOA record could be written such
that the primary host is not revealed.
--johan
*This is relatively new behavior. 5 years ago, there was not a
notification protocol, and the secondary name servers periodically queried
the master to see if there was a newer zone file.