How are the SOA record's fields used?

Answered Sun, 3 Feb 2002

> Are you the "Cricket" co-author of the fabulous Nutshell book
> on BIND? If so, I must commend you on an excellent piece of work.

I am, and thanks!

> Now, on to my question. Well, I guess I really have 2 questions!
>
> First of all, I am currently maintaining a hidden primary for a
> particular domain but it is unclear to me whether the start of
> authority record in the hidden primary must point to itself (as it now
> does), or whether it can point to one of the published secondary
> servers? My intention is to not have any internet traffic come to the
> hidden primary server with the exception of the zone transfers and
> queries that the publish secondary servers would make. My assumption
> is that I could change the start of authority record to a publish
> secondary because I believe the start of authority record is used to
> list the authoritative name servers. However, I want to be absolutely
> sure about this before making the change in case there are any
> unwanted side effects that might occur.

The SOA MNAME field (the one that lists the domain name of the
primary master name server) is used by NOTIFY and by dynamic
update. (Authoritative name servers send NOTIFY messages to
all name servers in NS records that aren't in the MNAME field, and
dynamic updaters try to send updates to the name server listed in the
MNAME field first, if it's also listed in the NS records for the zone.)
If you set it to something besides the primary master's domain name,
NOTIFY and dynamic update might not work. But since queries
aren't directed to the name server in the MNAME field, listing the
real primary master in a hidden primary setup shouldn't matter.

> My second question is with regard to the point of contact record that
> is listed on the primary server. The contact we currently use is
> identical to the e-mail addresses that are published through the
> registrar for administrative, technical, and billing contacts.
> Unfortunately, we have been receiving a steady stream of spam e-mail
> to that address and I am wondering if this could be somewhat avoided
> by changing the point of contact record to an invalid address? My
> understanding is that the point of contact record is only used if
> someone wants to contact the DNS administrator regarding a problem
> with the DNS configuration. The administrators of the published
> secondary servers already know how to contact me in an alternate way
> and we have no need to receive email regarding DNS problems via this
> email address. Therefore, is having a valid point of contact record
> absolutely necessary? I am
> sure that much spam is also sent to e-mail contacts listed with the
> registrar for domains, but dealing with that I suppose is a separate
> situation. I just wonder if some of these spammers create some of
> their lists from doing batch POC queries and spamming to those
> addresses. Any ideas on minimizing spam to the listed contacts at the
> registrar would be appreciated as well :)

The SOA RNAME field is used by people (and address harvesters,
I suppose), not by DNS software. So if you set it to something besides
a legal email address, you'll only affect those two categories of users.
As you already realize, though, it's just as easy to mine your address
out of a registrar's whois database, so I'm not sure that setting the
RNAME field to something bogus would be all that effective. Better
to invest in good email filtering like sieve or procmail.

cricket