Bind8 Dynamic DNS How-To?
Barry Finkel
b19141 at achilles.ctd.anl.gov
Tue Jun 13 16:33:45 UTC 2000
Jeff Newton wrote:
>I've been using Bind 8.2.2 for a while now but I'd like to start
>implementing the dynamic DNS features for our many DHCP Windoze
>machines. Plus with Win2K fast approaching.....
>
>The online docs and the list archive don't have much info. Can
>someone point me at an online how-to? I'm sure others have been down
>this road before, I just don't like spinning my wheels when there are
>resources available.
There have been discussions of Win2k in this discussion group; search
archives. A search at the ISC web site with
"win2k" or "w2k"
produced 392 matches.
Here is a summary of a test I ran a few weeks ago in our
Windows 2000 testbed network.
00) There is a machine in the testbed
w2kdesk222.ctd.anl.gov <===> 192.168.1.23
that is running Windows 2000 Professional (clean install); it is
attempting to do dynamic DNS self-registration. I have been told
that there are differences in results in some cases depending upon
whether the Windows 2000 is a fresh install of the RTM code or an
upgrade from a Beta to the RTM code.
01) I changed dns0 (the hidden primary [BIND 8.2.2-P5]) so that
w2kdesk222.ctd.anl.gov <===> 192.168.1.111
bsfdnstest.ctd.anl.gov <===> 192.168.1.23
This would simulate a mis-configured Win2k machine coming online and
trying to register itself.
02) I modified named.conf.dns0 to
allow-update{192.168.1.23;};
for the ctd.anl.gov and the 192.168.1.rev zones.
03) I waited for a self-registration from w2kdesk222. These
occurred in frames 197-210. (Frames 195 and 196 are ping
packets). But there were error messages from BIND:
15:15:24 error processing update packet (NXRRSET) id 399
from [192.168.1.23].1915
15:15:24 error processing update packet (NYRRSET) id 402
from [192.168.1.23].1918
04) Here is a summary of the DNS trace records. I cannot be sure
that I decoded the sniffer trace records 100% correctly.
Frm Src Dest Event
--- ---- ---- --------------------------
195 dns0 w2k Ping w2kdesk222 from dns0
196 w2k dns0 Ping reply
197 w2k dns0 Dynamic DNS update:
Zone: ctd.anl.gov
Prereq #1: w2kdesk222.ctd.anl.gov is not a CNAME.
Prereq #2: w2kdesk222.ctd.anl.gov has an "A
record pointing to 192.168.1.23 .
198 dns0 w2k Response: NXRRSET (8) = Some RRset that ought to exist
does not exist.
[Pre-req #2 failed.]
199 w2k dns0 What is the SOA for w2kdesk.ctd.anl.gov?
200 dns0 w2k The SOA server is dns0.anl.gov .
201 w2k dns0 What is the address of dns0.anl.gov?
202 dns0 w2k The address is 192.168.1.4 .
203 w2k dns0 Dynamic DNS update:
Zone: ctd.anl.gov
Prereq #1: w2kdesk222.ctd.anl.gov is not a CNAME.
Prereq #2: There is no "A" record for w2kdesk222.ctd.anl.gov .
Update: Add "w2kdesk222.ctd.anl.gov IN A 192.168.1.23".
204 dns0 w2k Response: YXRRSET (7) = Some RRset that ought to exist
does not exist.
[Pre-req #2 failed.]
205 w2k dns0 What is the address of w2kdesk222.ctd.anl.gov?
206 dns0 w2k The address is 192.168.1.111 .
207 w2k dns0 Dynamic DNS update:
Zone: ctd.anl.gov
Pre-req #1: w2kdesk222.ctd.anl.gov is not a CNAME.
Update #1: Delete existing "A" record for w2kdesk222.
Update #2: Add "w2kdesk222.ctd.anl.gov IN A 192.168.1.23"
with TTL=1200.
208 dns0 w2k Response: OK (0)
209 w2k dns0 Dynamic DNS update:
Zone: 1.168.192.in-addr.arpa
Pre-req: 23.1.168.192.in-addr.arpa is not a CNAME.
[This test will always succeed because
a CNAME will never be found in a
reverse zone.]
Update #1: Delete the existing PTR for 192.168.1.23 .
Update #2: Add "192.168.1.23 IN PTR w2kdesk222.ctd.anl.gov'
with TTL=1200.
210 dns0 w2k Response: OK (0)
05) I looked at the updated zones. Our forward zones come in multiple
pieces; the named.ctd zone contains
<header information>
$INCLUDE hosts.ctd
$INCLUDE mx.ctd
$INCLUDE cname.ctd
BIND will replace the base file (named.ctd)
with a new file that contains all of the four pieces combined.
(And the resulting file is not in same order as the original
files.)
06) I looked at the updated zones, and I found this:
192.168.1.111 IN PTR w2kdesk222.ctd.anl.gov
192.168.1.23 IN PTR w2kdesk222.ctd.anl.gov
w2kdesk222.ctd.anl.gov IN A 192.168.1.23
bsfdnstest.ctd.anl.gov IN A 192.168.1.23
So, the dynamic DNS update of the forward zone added an additional
name to the existing name for 192.168.1.23; in the reverse zone it
replaced the existing reverse entry for 192.168.1.23 . Note that
after the updates there are "dangling"
192.168.1.111 IN PTR w2kdesk222
and
bsfdnstest IN A 23
entries remaining.
The TTL values for the new entries is 1200, not our default 86400.
07) I would have assumed that once the Windows 2000 machine had
successfully registered itself, it would turn off the
self-registration. But I still see dynamic DNS updates coming
from the 1.23 machine two days later. The self-registrations appear
to come at repeated intervals of 5 minutes, then 10 minutes, then
60 minutes. We have a THEORY that we have to test in our testbed
network -- Does Win2k expect that the self-registered DNS entries
will expire after the TTL=1200 expires? If these entries were
registered in a Win2k DNS (as opposed to a BIND DNS), would
Win2k Dynamic DNS automatically remove these entries? If this is
so, then a Win2k machine would have to again re-register itself.
Remember that this is only a THEORY; we have no yet done the
tests.
08) In the trace there is one TKEY packet from w2kdesk222;
dns0 responds with "format error" (1). In a previous trace from
w2kdesk222 I see many TKEY packets. I have decoded one of these
DNS TKEY packets; it is a GSS-API mode authentication key request
to BIND. BIND 8.2.2-P5 does not accept the GSS-API mode. I have
not yet determined if the "format error" return code is proper
with respect to the draft IETF TKEY specification:
draft-ietf-dnsext-tkey-02.txt
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-9689
Building 221, Room B236 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4844 IBMMAIL: I1004994
More information about the bind-users
mailing list