generating update requests
Jan Vicherek
honza at ied.com
Sun Oct 31 19:26:26 UTC 1999
On Mon, 30 Aug 1999, Jim Reid wrote:
> >>>>> "Jan" == Jan Vicherek <honza at ied.com> writes:
>
> Jan> I understand that the latest bind alows for updating a
> Jan> record without having to "update zone file & restart bind". I
> Jan> understand (correct me if I'm wrong), that bind can receive
> Jan> some sort of network packet which will tell it, e.g. "under
> Jan> your primary domain xyz.com, the host abc.xyz.com has new IP
> Jan> address 1.2.3.4". Once bind gets such information, it stops
> Jan> resolving abc.xyz.com as previously 4.3.2.1 and starts
> Jan> resolving it as 1.2.3.4.
>
> Jan> Is there a program which would send to bind this
> Jan> information by allowing me to supply the requested change on
> Jan> the command line, or stdin ?
>
> Yes. See nsupdate. However you've better think VERY carefully before
> using Dynamic DNS. There are very serious problems of scaling and
> security. Each dynamic update bumps the zone serial number => zone
> transfers. The scurity implications are terrifying: anyone who does an
> nsupdate has write-access to the zone.
Hmm, isn't there a way to allow only the superuser on the localhost to
do an update ? Or better yet, allow an update only from a trusted network?
(VPN)
> They can add, remove or change
> any resource records they want. Where do you want your mail and web
> traffic to go?
>
> Jan> PS : Is there a way to make bind dump its current DB on exit
> Jan> and reload it when it starts up again ?
>
> No. What makes you think the cache that the server had before it
> exited will still be valid when it restarts?
Right after it restarts, it goes through the cache and removes any
expired entries, so it is up to date again.
I would like to handle a situation where a subdomain (i.e.
dialup.company.com) gets a bunch of nsupdates, so it contains entries
valid at the moment, but suppose I just *have to* restart named at some
point. I don't want to lose the info about that subdomain. It would be
ideal if I could dump that subdomain into a file and restore it from that
file after the restart. Is there an elegant solution ? ( I know I could
ask the dialup hosts to contact a certain port, so I know what's their IP,
and then write it into zone file, and reload that zonefile, but it seems
more natural that they do the nsupdate from a VPN trusted network
themselves.)
Thanx,
Jan
-- Gospel of Jesus is the saving power of God for all who believe --
## To some, nothing is impossible. ##
http://Vicherek.Waterloo.on.ca/
More information about the bind-users
mailing list