BIND, Master, Slaves and Notify

bind master-slave

You've two options in your master's BIND config for a given zone:

notify yes - will send notifications to all of the published NS records for the domain.

notify explicit - will send notifications only to those IPs listed in the also-notify configuration.

In either case, the slaves must be configured with allow-notify that accepts these notifications from the master's IP.

Once it accepts a NOTIFY, the slave then sends an IXFR or AXFR request back to the master. If the master is 'hidden' (ie: not published as an NS record for the domain), then this doesn't matter. The slaves have to be configured with the master's IP directly, so they should know where to send the request.

So long as the master's firewall allows the requests in from the slaves and the master is configured to allow zone transfers, then the salves can retreive their configuration. (This is the part you have to lock down to prevent unauthorized name servers scraping your zone files)


Bind DNS sends a notify to all name servers except itself and the primary master listed in the SOA.

  • notify yes;
    sends notify to all name servers in RR ** (except itself and SOA master)**

  • notify yes; also-notify { x.x.x.x; y.y.y.y; };
    sends notify to x.x.x.x, y.y.y.y and all name servers in RR (except itself and SOA master).

  • notify explicit; also-notify { x.x.x.x; y.y.y.y; };
    sends notify to just x.x.x.x, y.y.y.y


Strictly speaking, the master doesn't know that it has slaves, let alone who they are.

All the DNS server in the role of master "knows" is that it's been configured to "master" a zone.

Further configuration tells it how to assemble a list of other nameservers to notify when that zone changes.

The stock bind 9+ config is, I think, for the nameserver to construct the list of notification targets from the list of NS RRs in the mastered zone. The admin can add to that list with the also-notify config thingy. The admin can also change the behavior with the "notify" thingy.

So, you could say that a master learns how to "knows its slaves" from it's configuration and that most of that time, that means all the NS records in the zone.

Related

Print external host name of EC2 instance
SSH does not allow the use of a key with group readable permissions
nginx simple regex location
Make Tomcat use X-Real-IP
I accidently zipped my whole server
iLO 3 Firmware Update (HP Proliant DL380 G7)
Gmail flagging Dovecot email as insecure
How to enable systemd on Amazon Linux AMI
iSCSI, multiple initiators for the same LUN
Update Office without opening an Office application
Does SMTP greylisting a) stop much spam and b) stop much legitimate mail?
Free Windows server anti-virus and firewall programs?