IXFR, NOTIFY, and NAT
David Botham
dns at botham.net
Wed Sep 25 17:33:19 UTC 2002
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Jim Reid
> Sent: Tuesday, September 24, 2002 6:09 PM
> To: Robert Messinger
> Cc: bind-users at isc.org
> Subject: Re: IXFR, NOTIFY, and NAT
>
> >>>>> "Robert" == Robert Messinger <lists at mail.tiggee.com> writes:
>
> Robert> Just wanted to mention this to everyone.
>
> Robert> Strongly suggest you "not" use NAT if you want the NOTIFY
> Robert> to work correctly.
>
> Why qualify this? Not using NAT is always the Right Thing To Do.
Jim, are you saying that NAT is not a good idea when used in conjunction
with DNS, or NAT is bad in general?
Dave...
>
> Robert> I have a feeling that there is something with the IP
> Robert> header which throws the whole thing in the crapper.
>
> The "something in the header" will no doubt be the source IP addresses
> for the NOTIFY packets. Your server is probably seeing the NOTIFY
> messages coming from a different address from where they actually came
> from. And therefore it is ignoring them apart from logging a warning
> about NOTIFYs coming an "unexpected source" or something like
> that. This will be happening because the NAT box is diddling with the
> addresses on the inbound and outbound packets. Some of these devices
> are truly evil and stupid because they diddle with the contents of DNS
> packets to make the IP addresses in any A records look right. NAT?
> Just say no.
More information about the bind-users
mailing list