Hidden primary

Hidden Primary is a special constellation of name servers of the Domain Name System on the Internet .

A Hidden Primary is a DNS server that serves as a source for authoritative zone data , but is not published as a name server for DNS queries. Instead, the zone data is transferred from publicly accessible DNS servers with a zone transfer . This constellation can be useful if the internet connection of the primary DNS server is narrow-band or unreliable or no DNS traffic is desired on the line. In addition, the administration of zone files can be delegated.

Hidden primary DNS servers are not listed in the WHOIS .

Facility

The DNS server with the authoritative zone data is noted in the SOA record . When registering or moving a domain, at least two name servers must be specified according to RFC 1912 , which answer queries for this zone (domain). The information for registering a domain is noted by the responsible NIC (e.g. DENIC ) in the WHOIS. There is u. a. entered which name servers hold the zone for this domain. As a result, only the name servers from the domain registration may be noted in the name server resource records (NS RRs), but not a hidden primary name server.

advantages

The administration of the DNS zone is delegated by the provider ( Internet service provider ) to the owner of the domain or an IT service provider. The operator can independently adjust the entries for the zone without having to use a web portal or a hotline from the provider.

disadvantage

Each DNS zone is provided with a validity period ( TTL ) after which the zone in the DNS expires. If, for a technical or other reason, the zone cannot be transferred or queried by the provider's name server, the entire zone is automatically removed from the DNS and is no longer available for queries.

The TTL standard value for a zone is noted in the SOA record and is seven days. Since the administration of the DNS zone lies with the operator of the hidden primary DNS server, he has to ensure that the name servers of the provider always have access to the hidden primary DNS server and are allowed to transfer the zone. Should a problem arise, the zone will be removed from the global DNS without U. someone takes notice. The operator of the hidden primary DNS server should check that the zone is polled regularly. The hidden primary DNS server therefore represents a single point of failure .

example

Whois entry

$ whois cd-jena.de
..
Domain: cd-jena.de
Nserver: ns01.versatel.de
Nserver: ns02.versatel.de
Nserver: ns03.versatel.de
Status: connect
Changed: 2013-03-11T08:38:40+01:00
..

DNS configuration

BIND configuration example:

/etc/named.conf

zone "cd-jena.de" in {
        type master;
        allow-transfer { "versatel-nameservers"; };
        file "primary/cd-jena.de.zone";
};

/var/named/primary/cd-jena.de.zone

@       IN      SOA     lech.cd-jena.de. hostmaster.cd-jena.de. ( 2013031800 28800 7200 604800 3600 )

                NS      ns01.versatel.de.
                NS      ns02.versatel.de.
                NS      ns03.versatel.de.

DNS query

$ host -t soa cd-jena.de
cd-jena.de has SOA record lech.cd-jena.de. hostmaster.cd-jena.de. 2013031800 28800 7200 604800 3600

$ host -t ns cd-jena.de
cd-jena.de name server ns01.versatel.de.
cd-jena.de name server ns03.versatel.de.
cd-jena.de name server ns02.versatel.de.

Individual evidence

↑ http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf p.48 (7-4), 7.2.7
↑ Versatel data sheet new application / change, page 1 , item 2. (PDF; 143 kB) (No longer available online.) P. 1 , archived from the original on July 18, 2013 ; Retrieved March 29, 2013 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

↑ Versatel service description VT Internet, page 1, point 2.4. (PDF; 115 kB) (No longer available online.) P. 2 , archived from the original on October 21, 2013 ; Retrieved March 29, 2013 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.

Web links

RFC 1033 - Domain administrator operations guide
RFC 1034 - Domain names - concepts and facilities
RFC 1035 - Domain names - implementation and specification
RFC 1912 - Common DNS Errors
O'Reilly Book Excerpts - Setting Up a Hidden Primary Master Name Server http://www.oreillynet.com/network/excerpt/dnsbindcook_ch07/index.html

[1] ttp://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf p.48 (7-4), 7.2.7

[VST_Antrag-2] Versatel data sheet new application / change, page 1 , item 2. (PDF; 143 kB) (No longer available online.) P. 1 , archived from the original on July 18, 2013 ; Retrieved March 29, 2013 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

[VST_Leistungsbeschreibung-3] Versatel service description VT Internet, page 1, point 2.4. (PDF; 115 kB) (No longer available online.) P. 2 , archived from the original on October 21, 2013 ; Retrieved March 29, 2013 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2