Dynamic DNS (was Re: h2n 2.38)

Kevin Darcy kcd at daimlerchrysler.com
Fri Jun 15 19:19:14 UTC 2001 

Kevin Darcy wrote:

> Jim Reid wrote:
>
> > >>>>> "Andris" == Andris Kalnozols <andris at hpl.hp.com> writes:
> >
>
> >     Andris> Also, BIND 8 users considering the nsupdate command should
> >     Andris> be aware that it requires a zone's master nameserver to
> >     Andris> appear in the NS RRset as well as in the SOA RR's MNAME
> >     Andris> field, i.e., no stealth master is allowed because update
> >     Andris> forwarding is not implemented.  This presents a bit of a
> >     Andris> dilemma for a master that's behind a firewall because
> >     Andris> including such an unreachable nameserver in the NS RRset
> >     Andris> violates the best current practice per RFC 2182.
> >
> > True enough, but why would anybody want to trust DDNS updates that
> > came from the other (presumably hostile and untrusted) side of a
> > firewall?

Oops, one thing that I meant to point out to you (Jim) was that Andris was
referring to making Dynamic Updates to a "stealth" or "hidden" master,
presumably from a client on the *inside* network, not necessarily making
Dynamic Updates *through* the firewall.

In any case, regardless of whether the update comes through the firewall or
not, it could be TSIG-authenticated, which would probably satisfy many if
not most security policies.

> This point is rather moot: Andris is referring only to a limitation in
> the BIND 8 nsupdate client and/or the BIND 8 nameserver. If one writes
> one's own Dynamic Update client (using the BIND 8 libraries if one
> wishes), or uses the Perl Net::DNS module's Dynamic Update routines, or
> uses the BIND 9 nsupdate client (which works fine with a BIND 8
> nameserver), one can *explicitly* specify the target server for the
> Dynamic Update. This is exactly what I'm doing here -- using BIND 9
> nsupdate and explicitly specifying the target server -- with my "hidden
> master" setup.
>
> And of course, if one upgrades nameservers to BIND 9 then update
> forwarding is available too. (Admittedly my external slaves are still
> running BIND 8, but it doesn't matter in this context since I don't need
> update forwarding).


- Kevin

More information about the bind-users mailing list