manual editing of dynamic zones files
Kevin Darcy
kcd at daimlerchrysler.com
Wed Jan 4 00:19:00 UTC 2006
Dan Foster wrote:
>In article <dog41h$h9m$1 at sf1.isc.org>, Roman Mashak <romez777 at gmail.com> wrote:
>
>
>>I suppose there's some restriction prohibiting to manually edit
>>dynamic DNS zone files: since I tried to do that and after restart of
>>named there were no new entries in zone file, is it normal and
>>standard behavior? (it happened with bind-8.2.3REL).
>>
>>
>
>Yes, there are restrictions. It relates to technical reasons involving
>dynamic DNS-related incremental transfers and journalling.
>
>Yes, the behavior you described is expected, because that's not the
>right way to do it before BIND 9.3.1.
>
>Starting with BIND 9.3.1, you can do it without stopping the nameserver by:
>
> # rndc freeze <zone>
> # vi <zone>
> # rndc unfreeze <zone>
>
>With BIND 9.2.x:
>
> # rndc stop
> # rm <.jnl files>
> # vi <zone>
> # <start named>
>
Bear in mind, of course, that while the nameserver is "stop"ped or
"fr[ozen]" any Dynamic Updates coming in will basically get dropped. So
this could be *very* disruptive if you have automatic processes making
those Dynamic Updates, unless all of those processes are capable of
detecting the failure, queueing up their updates, and retrying them
(hopefully in the same order, to prevent sequencing issues).
It might be a better approach to do *all* of your updates via Dynamic
Update from now on, including the "manual" ones. Use "nsupdate" or some
other command-line tool. One of the advantages of this, versus editing
the zone files, is that you don't actually need to be on the master
server to make an update. If you want to exploit this "remote"
capability, though, you'll probably want to set up TSIG-authentication
for the Dynamic Updates, unless you have sufficient security at the
lower network levels (e.g. IPSEC or something like that).
- Kevin
More information about the bind-users
mailing list