nsupdate behavior

Kevin Darcy kcd at daimlerchrysler.com
Tue Dec 18 23:49:21 UTC 2001


No, as a matter of security methodology, it is perfectly appropriate for BIND
to deny all updates by default, even updates originating from the local host.
Do you think it would be appropriate for e.g. a Unix box to allow superuser
rsh's or rlogins from all users on the local host by default? Allowing
arbitrary local users to muck with the contents of authoritative DNS zones is
almost as irresponsible as that.


- Kevin

Ted Wood wrote:

> I get this:
>
> [root at dns named]# nsupdate -d
> > update add superdude.twu.edu. 86400 IN A 192.66.66.65
> > send
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  27778
> ;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;superdude.twu.edu.             IN      SOA
>
> ;; AUTHORITY SECTION:
> twu.edu.                0       IN      SOA     dns.twu.edu.
> hostmaster.dns.twu.edu. 5321 86400 10800 3600000 86400
>
> Found zone name: twu.edu
> The master is: dns.twu.edu
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  46657
> ;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>
> > quit
> Destroy DST lib
> Detach from entropy
> [root at dns named]#
>
> So it's being refused.  Ok, I need to add the IP address of the primary
> master to the allow-update section of the master zone file in
> /etc/named.conf.  That works.  Why doesn't it allow updates from itself by
> default?
>
> -----Original Message-----
> From: Cricket Liu [mailto:cricket at menandmice.com]
> Sent: Tuesday, December 18, 2001 4:44 PM
> To: Ted Wood; Bind-Users (E-mail)
> Subject: RE: nsupdate behavior
>
> > I'm having trouble with dynamic updates.  My master zone is being updated
> > from the dhcp server and all seems to be well.  However, when I try to add
> > an entry with nsupdate, it never happens.  On the primary master I run:
> > #nsupdate
> > > update add kbase.twu.edu. 86400 A 168.55.93.135
> > > send
> > >
> >
> > I have tried this with the trailing dot and without but to no avail.  This
> > is BIND 9.2.0rc1 running on Redhat 7.1.  Any help would be much
> > appreciated.
>
> What happens when you run nsupdate with the -d (debug)
> command-line option?
>
> cricket
>
> Men & Mice
> DNS Software & Services
> www.menandmice.com
>
> Attend our next DNS and BIND class!  See
> http://www.menandmice.com/8000/8000_dns_training.html
> for the schedule and to register for upcoming classes



More information about the bind-users mailing list