Denied Update Messages On Secondary Servers
Jim Reid
jim at rfc1035.com
Tue Jul 17 16:42:13 UTC 2001
>>>>> "Bill" == Smith, William E (Bill), <Bill.Smith at jhuapl.edu> writes:
Bill> I have logging configured on my secondaries such that any
Bill> unapproved updates, etc are written to a log file. I've
Bill> noticed that a lot of denied from IP for zone type messages
Bill> on each of my secondaries. What I don't understand is why
Bill> I'm seeing them on my secondaries since the clients should
Bill> be going to the primary to try and update.
There is no underestimating the stupidity of DNS client software.
Especially the stuff coming from a company in the top left hand corner
of the USA.
The dynamic update protocol allows update requests to be sent to a
slave server. It is supposed to forward them to the master. This
didn't work in BIND8, so sending updates to a slave server then wasn't
a good idea. Update forwarding does work properly in BIND9. [Well, in
9.1 upwards IIRC.] However if this is used, it should be used in
conjunction with TSIG authentication, not on IP address. IP addresses
are easily faked, so using them for authentication is not wise at the
best of times. With update forwarding, address based authentication
means that it's the slave server which forwards the request that gets
authenticated, not the client that sent the request to the slave.
More information about the bind-users
mailing list