BIND 8.3.x nsupdate not working correctly

Michael Niksch nik at zurich.ibm.com
Fri Feb 8 15:20:49 UTC 2002


With BIND 8.2.5, it was possible to nsupdate an entry in a zone without
specifying that zone's primary explicitly. Obviously, the nameservers
in resolv.conf were used to identify the zone's primary, and then
nsupdate talked to that primary to perform the actual update operation.

With BIND 8.3.0 and 8.3.1, this has stopped working. Using exactly the
same configuration, bind-8.2.5/nsupdate will do its job, while
bind-8.3.0/nsupdate and bind-8.3.1/nsupdate will not. Only if I list
the primary of the zone to update as the first nameserver in
resolv.conf, nsupdate will perform the update.

Note that the dig, host, and nslookup commands are still working.

Note that the problem occurs with BIND 8.3.x on both AIX and Windows
2000 (there it depends on %WINDIR%\system32\drivers\etc\resolv.conf, of
course).

Is this a bug in BIND 8.3.x, or did I miss any voluntary change?
According to the man pages I found, nsupdate is supposed to talk to the
server identified by the MNAME field of the zone's SOA record.

I am attaching the output of nsupdate -d for 8.3.1 and 8.2.5. In both
cases I am attempting to delete a record 'blah.test.zurich.ibm.com'.
While it survives the 8.3.1 attempt, it is gone after the 8.2.5 one.

According to that output, 8.3.1 fails with "status: NOTAUTH", but there
is no configuration difference to the 8.2.5 success with "status:
NOERROR" other than the use of a different nsupdate executable. The
zone specification always has "allow-update { 0/0; }; The debug output
indeed seems to indicated that the failing request is sent incorrectly
to 9.4.4.238, while the succeeding request is sent to the correct
primary, 9.4.67.111.

-- 
Michael Niksch                     /Zurich/IBM @ IBMCH
IBM Zurich Research Laboratory     nik at zurich.ibm.com
Saeumerstrasse 4                   http://www.zurich.ibm.com/~nik/
CH-8803 Rueschlikon / Switzerland  P: +41-1-724-8913 F: +41-1-724-8080


-- Attached file included as plaintext by Ecartis --
-- File: 831.txt

;; res_findzonecut: START dname='blah.test.zurich.ibm.com.' class=IN, zsize=1025, naddrs=3
;; res_findzonecut: get the soa, and see if it has enough glue
;; res_findzonecut: get the ns rrset and see if it has enough glue
;; res_findzonecut: get the missing glue and see if it's finally enough
;; res_findzonecut: add_addrs: 1
;; res_findzonecut: add_addrs: 1
;; res_findzonecut: satisfy(langenberg.zurich.ibm.com): 2
;; res_findzonecut: FINISH n=2 (OK)
;; res_nupdate: res_mkupdate -> 54
;; res_nmkquery(QUERY, blah.test.zurich.ibm.com., IN, SOA)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38387
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;	blah.test.zurich.ibm.com, type = SOA, class = IN

;; Querying server (# 1) address = 9.4.4.238
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38387
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;	blah.test.zurich.ibm.com, type = SOA, class = IN

;; AUTHORITY SECTION:
test.zurich.ibm.com.	0S IN SOA	langenberg.zurich.ibm.com. hostmaster.zurich.ibm.com. (
					187		; serial
					1H		; refresh
					10M		; retry
					1W		; expiry
					0S )		; minimum


;; res_nmkquery(QUERY, test.zurich.ibm.com, IN, NS)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38388
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;	test.zurich.ibm.com, type = NS, class = IN

;; Querying server (# 1) address = 9.4.4.238
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38388
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUERY SECTION:
;;	test.zurich.ibm.com, type = NS, class = IN

;; ANSWER SECTION:
test.zurich.ibm.com.	2H IN NS	langenberg.zurich.ibm.com.
test.zurich.ibm.com.	2H IN NS	rautispitz.zurich.ibm.com.

;; ADDITIONAL SECTION:
langenberg.zurich.ibm.com.  2H IN A  9.4.67.111
rautispitz.zurich.ibm.com.  2H IN A  9.4.4.222

;; res_send()
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 38389
;; flags:; ZONE: 1, PREREQUISITE: 0, UPDATE: 1, ADDITIONAL: 0
;;	test.zurich.ibm.com, type = SOA, class = IN
blah.test.zurich.ibm.com.  0S ANY ANY
;; Querying server (# 1) address = 9.4.4.238
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 38389
;; flags: qr ra; ZONE: 0, PREREQUISITE: 0, UPDATE: 0, ADDITIONAL: 0


-- Attached file included as plaintext by Ecartis --
-- File: 825.txt
-- Desc: Plain Text

;; res_findzonecut: START dname='blah.test.zurich.ibm.com.' class=IN, zsize=1025, naddrs=3
;; res_findzonecut: get the soa, and see if it has enough glue
;; res_findzonecut: get the ns rrset and see if it has enough glue
;; res_findzonecut: get the missing glue and see if it's finally enough
;; res_findzonecut: add_addrs: 1
;; res_findzonecut: add_addrs: 1
;; res_findzonecut: satisfy(langenberg.zurich.ibm.com): 2
;; res_findzonecut: FINISH n=2 (OK)
;; res_nupdate: res_mkupdate -> 54
;; res_nmkquery(QUERY, blah.test.zurich.ibm.com., IN, SOA)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17615
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;	blah.test.zurich.ibm.com, type = SOA, class = IN

;; Querying server (# 1) address = 9.4.4.238
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17615
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;	blah.test.zurich.ibm.com, type = SOA, class = IN

;; AUTHORITY SECTION:
test.zurich.ibm.com.	0S IN SOA	langenberg.zurich.ibm.com. hostmaster.zurich.ibm.com. (
					187		; serial
					1H		; refresh
					10M		; retry
					1W		; expiry
					0S )		; minimum


;; res_nmkquery(QUERY, test.zurich.ibm.com, IN, NS)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17616
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;	test.zurich.ibm.com, type = NS, class = IN

;; Querying server (# 1) address = 9.4.4.238
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17616
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUERY SECTION:
;;	test.zurich.ibm.com, type = NS, class = IN

;; ANSWER SECTION:
test.zurich.ibm.com.	2H IN NS	langenberg.zurich.ibm.com.
test.zurich.ibm.com.	2H IN NS	rautispitz.zurich.ibm.com.

;; ADDITIONAL SECTION:
langenberg.zurich.ibm.com.  2H IN A  9.4.67.111
rautispitz.zurich.ibm.com.  2H IN A  9.4.4.222

;; res_send()
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 17617
;; flags:; ZONE: 1, PREREQUISITE: 0, UPDATE: 1, ADDITIONAL: 0
;;	test.zurich.ibm.com, type = SOA, class = IN
blah.test.zurich.ibm.com.  0S ANY ANY
;; Querying server (# 1) address = 9.4.67.111
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 17617
;; flags: qr ra; ZONE: 0, PREREQUISITE: 0, UPDATE: 0, ADDITIONAL: 0




More information about the bind-users mailing list