Another way to find the primary server for a zone
Jim Reid
jim at rfc1035.com
Fri May 11 09:53:11 UTC 2001
>>>>> "Brad" == Brad Knowles <brad.knowles at skynet.be> writes:
Brad> Right. The slave should just basically be able to
Brad> re-transmit the original packet (with TSIG) unmodified, but
Brad> to the correct upstream server, right?
Yes.
Brad> Is there any reason why you might not want to enable
Brad> this type of forwarding?
If you use IP addresses in allow-update ACLs, you can lose. The ACL
checks would apply to the address sending the query to the master --
the slave that's forwarding the update -- rather than the address that
generated the original request. When TSIG is used, the source address
of an update request shouldn't matter. It's knowledge of the TSIG
shared secret that provides the authentication.
More information about the bind-users
mailing list