...making Linux just a little more fun!

<-- prev | next -->

DNS definitions

By Mike Orr (Sluggo)

DNS administrators often speak of master/slave servers, primary/secondary servers, and authoritative/non-authoritative servers. These do not all mean the same thing but are often confused, both due to ignorance and because the official usage has changed over time. So the person you're speaking with may match any term with any of the meanings below, and you'll have to figure out from context what he means. This also means you should explain the term with anybody you're speaking with, or at least put a few words of context so they know which meaning you intend. Note that all these terms are domain-specific. A server can be master for one domain while simultaneously being slave for another domain.


A master server knows about a domain from its own configuration files. A slave server knows because a master has told it. The slave is configured to retrieve that particular domain from a certain master, either through a DNS zone transfer or out-of-band (via 'rsync' or another mechanism.) Master/slave is a private relationship between the servers; neither the registrar nor the public know which IP is in the slave's configuration file, or even that it is a slave. A slave's "master" may in fact be slave to another master.


An authoritative server is listed at the registrar as having the official information for that domain. A non-authoritative server has the information because it earlier asked an authoritative server and cached the answer. You might say, "All slave servers are non-authoritative," but this is misleading. Slave servers contact their masters directly, while non-authoritative servers query the DNS hierarchy.


These unfortunate terms were used for master/slave in earlier versions of BIND. However, some people think the primary is the first nameserver IP listed at the registrar, and any others others are secondary. In fact, all the nameserver IPs are equal and "authoritative"; the first one does not have a special status. Still other people think primary means the nameserver listed in the zonefile's SOA header, and others think primary means "the domain I personally edit". So avoid the terms primary/secondary. If you do use them (and it's hard not to let them slip out), take care to explain what you mean.

When I originally set up a domain for a nonprofit organization, I thought the first IP listed at the registrar had to be a master, and the others had to be slaves or the zone transfers wouldn't work properly. This turned out to be hogwash. A "hidden master" is actually quite common. That's where the real records are kept at a private or unadvertised server, and all the authoritative servers are slaves. This protects you from attacks: the cracker can get the money but he can't get the family silverware.

A question that comes up in those cases is "what value do I put in the SOA record?" (the item at the top of a DNS zone that tells which computers have the original configuration data). Traditional practice is to list the masters, but that is what you would not do if you really wanted to hide the masters. No DNS program actually uses the SOA value for anything as far as we know; it's more a note to humans than anything else, so you can use it to cue yourself, or your fellow system administrators, in whatever way you prefer.


picture Mike is a Contributing Editor at Linux Gazette. He has been a Linux enthusiast since 1991, a Debian user since 1995, and now Gentoo. His favorite tool for programming is Python. Non-computer interests include martial arts, wrestling, ska and oi! and ambient music, and the international language Esperanto. He's been known to listen to Dvorak, Schubert, Mendelssohn, and Khachaturian too.

Copyright © 2005, Mike Orr (Sluggo). Released under the Open Publication license unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 121 of Linux Gazette, December 2005

<-- prev | next -->