Bind and AD

Kevin Darcy kcd at daimlerchrysler.com
Wed Sep 11 23:43:07 UTC 2002 

Ron Hall wrote:

> On Mon, 9 Sep 2002, Kevin Darcy wrote:
>
> > Mmmm.... Not really. I assume you mean you run the delegated nameservers --
> > or at least the master -- for mcgill.ca...
>
>         'zackly so (but I knew that ;-) )
>
> >
> > Any Dynamic Update client should be looking at the MNAME field of the
> > zone's SOA record, and its NS records, to determine where to send Dynamic
> > Updates. So as long as those are correct, your slaves shouldn't be getting
> > any Dynamic Update requests for the delegated zones.
>
>         The question seems to be that they really want the
>         request to seem like it is coming from the "main" nameservers
>
>         So that if xyz has an update request and it find one of the
>         "main" name servers, then it has that "host" issue the update
>         request.
>
>         Currently it hits the "main" servers and is routed to the
>         right update "host", but they are trying to hide those
>         behind firewalls.
>
> >
> > If you're running BIND 9, you could also enable update forwarding so that
> > even wayward Dynamic Updates will end up in the right place (don't try this
> > with BIND 8, however; update forwarding is quite broken in that version).
>
>         Well I've been meaning to update to bind 9 for a while now....
>         does this do what I want it to do?

I don't quite understand your requirements, but if you want the Dynamic Update
clients to be able to work, even though they have no connectivity to the master
server, but they _do_ have connectivity to some of the other nameservers listed
in the NS records for the zone (i.e. slaves), then update forwarding should do
what you want, because other, i.e. slave, authoritative servers are supposed to
be tried if a Dynamic Update to the master fails. Alternatively, it may be
possible to configurably *force* the updates to go an update-forwarding slave,
if your client implementation is not smart enough to do the failover properly,
or if you merely want to avoid the failover-timeout performance penalty. Update
forwarding is broken in BIND 8, so if you want to use this feature, you'll need
BIND 9. Caveat: I've not actually used update forwarding successfully, so
everything I say above is theoretical. Perhaps others with practical experience
with update forwarding can weigh in here...


- Kevin

More information about the bind-users mailing list