Problems updating apex NS rrset
Mark Andrews
Mark_Andrews at isc.org
Mon Jan 9 00:00:58 UTC 2006
>
> > For the last several months we've been updating all zones mastered locally
> > using dynamic update, generating input to nsupdate by comparing the old and
> > new versions of the zone. The general style of the updates is
> >
> > prereq yxrrset [name] [type] [data] *#rrs in old RRset
> > OR prereq nxrrset [name] [type]
> > update delete [name] [type]
> > update add [name] [type] [data] *#rrs in new RRset, maybe 0
> >
> > i.e. throw away the old RRset and rebuild it from scratch.
> >
> > A problem has turned up in connection with updating the NS RRset at the ape
> x
> > of a zone. It seems that BIND (this is 9.2.5) won't let you remove all the
> > NS records at the apex, but rather than giving an error it just ignores the
>
> > request to update. In the case of
>
> The protocol won't allow this. At no time during the processing
> of a update is the NS RRset for the zone allowed to be empty.
>
> > update delete [apex] NS
> >
> > it leaves just one of the old NS records in place -- I haven't been able to
> > work out whether the survivor is chosen at random or not.
> >
> > This is wrong, wrong, WRONG. If BIND wants to enforce the (reasonable)
> > constraint that there always be at least one NS record at the apex, it
> > should (1) check this only after the whole (indivisible) update has been
> > applied, not after intermediate stages - i.e. delete all NS records and the
> n
> > add at least one again should be ok, and (2) if the constraint is violated
> it
> > should give an error response to the update, not quietly make the NS RRset
> > something other than was requested.
> >
> > The current behaviour grossly violates the Principle of Minimum Surprise.
> > I've no doubt I can work around it, but why should I have to?
> >
> > PS. I've looked at RFC 2136: I don't find any justification for this
> > behaviour of BIND there.
>
> 7.13. Zone cut management presents some obscure corner cases to the
> add and delete operations in the Update Section. It is possible to
> delete an NS RR as long as it is not the last NS RR at the root of a
> zone. If deleting all RRs from a name, SOA and NS RRs at the root of
> a zone are unaffected. If deleting RRsets, it is not possible to
> delete either SOA or NS RRsets at the top of a zone. An attempt to
> add an SOA will be treated as a replace operation if an SOA already
> exists, or as a no-op if the SOA would be new.
I forgot to add that you can't look forward in the UPDATE section
to see if there is a addition as they need to be processed in
order.
3.4.2 - Update
The Update Section is parsed into RRs and these RRs are processed in
order.
>
>
> > --
> > Chris Thompson
> > Email: cet1 at cam.ac.uk
> >
> >
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list