generating update requests

Jan Vicherek honza at ied.com
Sun Oct 31 19:26:26 UTC 1999 

On Mon, 30 Aug 1999, Jim Reid wrote:

> >>>>> "Jan" == Jan Vicherek <honza at ied.com> writes:
> 
>     Jan>  I understand that the latest bind alows for updating a
>     Jan> record without having to "update zone file & restart bind". I
>     Jan> understand (correct me if I'm wrong), that bind can receive
>     Jan> some sort of network packet which will tell it, e.g. "under
>     Jan> your primary domain xyz.com, the host abc.xyz.com has new IP
>     Jan> address 1.2.3.4". Once bind gets such information, it stops
>     Jan> resolving abc.xyz.com as previously 4.3.2.1 and starts
>     Jan> resolving it as 1.2.3.4.
> 
>     Jan>   Is there a program which would send to bind this
>     Jan> information by allowing me to supply the requested change on
>     Jan> the command line, or stdin ?
> 
> Yes. See nsupdate. However you've better think VERY carefully before
> using Dynamic DNS. There are very serious problems of scaling and
> security. Each dynamic update bumps the zone serial number => zone
> transfers. The scurity implications are terrifying: anyone who does an
> nsupdate has write-access to the zone.

   Hmm, isn't there a way to allow only the superuser on the localhost to
do an update ? Or better yet, allow an update only from a trusted network?
(VPN)

> They can add, remove or change
> any resource records they want. Where do you want your mail and web
> traffic to go?
> 
>     Jan> PS : Is there a way to make bind dump its current DB on exit
>     Jan> and reload it when it starts up again ?
> 
> No. What makes you think the cache that the server had before it
> exited will still be valid when it restarts?

   Right after it restarts, it goes through the cache and removes any
expired entries, so it is up to date again.

   I would like to handle a situation where a subdomain (i.e.
dialup.company.com) gets a bunch of nsupdates, so it contains entries
valid at the moment, but suppose I just *have to* restart named at some
point. I don't want to lose the info about that subdomain. It would be
ideal if I could dump that subdomain into a file and restore it from that
file after the restart. Is there an elegant solution ? ( I know I could
ask the dialup hosts to contact a certain port, so I know what's their IP,
and then write it into zone file, and reload that zonefile, but it seems
more natural that they do the nsupdate from a VPN trusted network
themselves.)

   Thanx,

         Jan



 -- Gospel of Jesus is the saving power of God for all who believe --
                ## To some, nothing is impossible. ##
                   http://Vicherek.Waterloo.on.ca/

More information about the bind-users mailing list