generating update requests

Mark_Andrews at iengines.com Mark_Andrews at iengines.com
Sun Oct 31 21:22:14 UTC 1999


> On Mon, 30 Aug 1999, Jim Reid wrote:
> 
> > >>>>> "Jan" == Jan Vicherek <honza at ied.com> writes:
> > 
> >     Jan>  I understand that the latest bind alows for updating a
> >     Jan> record without having to "update zone file & restart bind". I
> >     Jan> understand (correct me if I'm wrong), that bind can receive
> >     Jan> some sort of network packet which will tell it, e.g. "under
> >     Jan> your primary domain xyz.com, the host abc.xyz.com has new IP
> >     Jan> address 1.2.3.4". Once bind gets such information, it stops
> >     Jan> resolving abc.xyz.com as previously 4.3.2.1 and starts
> >     Jan> resolving it as 1.2.3.4.
> > 
> >     Jan>   Is there a program which would send to bind this
> >     Jan> information by allowing me to supply the requested change on
> >     Jan> the command line, or stdin ?
> > 
> > Yes. See nsupdate. However you've better think VERY carefully before
> > using Dynamic DNS. There are very serious problems of scaling and
> > security. Each dynamic update bumps the zone serial number => zone
> > transfers. The scurity implications are terrifying: anyone who does an
> > nsupdate has write-access to the zone.
> 
>    Hmm, isn't there a way to allow only the superuser on the localhost to
> do an update ? Or better yet, allow an update only from a trusted network?
> (VPN)

	Update access is controlled via acls which support access
	via cryptographic techniques as well as IP addresses.  If
	only root has access to the right cryptographic key then
	only root will get access if thing are so configured.  The
	default acl is 'none;'.

> 
> > They can add, remove or change
> > any resource records they want. Where do you want your mail and web
> > traffic to go?
> > 
> >     Jan> PS : Is there a way to make bind dump its current DB on exit
> >     Jan> and reload it when it starts up again ?
> > 
> > No. What makes you think the cache that the server had before it
> > exited will still be valid when it restarts?
> 
>    Right after it restarts, it goes through the cache and removes any
> expired entries, so it is up to date again.
> 
>    I would like to handle a situation where a subdomain (i.e.
> dialup.company.com) gets a bunch of nsupdates, so it contains entries
> valid at the moment, but suppose I just *have to* restart named at some
> point. I don't want to lose the info about that subdomain. It would be
> ideal if I could dump that subdomain into a file and restore it from that
> file after the restart. Is there an elegant solution ? ( I know I could
> ask the dialup hosts to contact a certain port, so I know what's their IP,
> and then write it into zone file, and reload that zonefile, but it seems
> more natural that they do the nsupdate from a VPN trusted network
> themselves.)
	
	The nameserver write updates to a transaction log prior to
	replying to the update request, periodically it re-writes
	the zone file and destroys the transaction log.

	Mark
--
Mark Andrews, Internet Engines Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at iengines.com


More information about the bind-users mailing list