Disallowing DDNS in BIND 9.2.1

Simon Waters Simon at wretched.demon.co.uk
Wed Jun 26 13:38:59 UTC 2002

Barry Finkel wrote:
> The 8.2.5 message clearly states that I denied the update; I do not
> allow DDNS on the master.  The 9.2.1 message implies that I would have
> allowed the update if the pre-req condition(s) had been satisfied.
> Is this the case?  I made no changes to my named.conf file for 9.2.1
> except for adding the "key" and "controls" statement.  I have no

No, pre-req are tested before permissions, this seems the wrong
way around to me, at least for zones (or servers) not using DDNS
at all.

It obviously seems the wrong way around to you as well, and the
guy who wrote ./bin/named/update.c thought it was the wrong way
around as well (see comments).

However that is what RFC2136 says should be done.

It is not clear to me that Vixie et al intended this ordering to
be mandatory, and the text reads as if they merely wanted
security checks to be performed before any partial updates to
avoid complexities of failing an update half way through due to
a security constraint.... but then again there could be a
subtlety I'm missing.

More information about the bind-users mailing list