Another way to find the primary server for a zone

Jim Reid jim at rfc1035.com
Fri May 11 09:53:11 UTC 2001


>>>>> "Brad" == Brad Knowles <brad.knowles at skynet.be> writes:

    Brad> 	Right.  The slave should just basically be able to
    Brad> re-transmit the original packet (with TSIG) unmodified, but
    Brad> to the correct upstream server, right?

Yes.

    Brad> 	Is there any reason why you might not want to enable
    Brad> this type of forwarding?

If you use IP addresses in allow-update ACLs, you can lose. The ACL
checks would apply to the address sending the query to the master --
the slave that's forwarding the update -- rather than the address that
generated the original request. When TSIG is used, the source address
of an update request shouldn't matter. It's knowledge of the TSIG
shared secret that provides the authentication.


More information about the bind-users mailing list