DDNS and allow-update declarations

bsfinkel at anl.gov bsfinkel at anl.gov
Wed Dec 10 17:48:03 UTC 2008 

Nicholas F Miller <Nicholas.Miller at Colorado.EDU> wrote:

>I have a couple of questions regarding how a Microsoft domain  
>controller updates a dynamic zone.
>
>1 ) When a domain controller tries to update the zone does it try the  
>DNS servers it has listed in its network settings or does it follow  
>the SOA for the zone?
>
>2) In the configs below does the slave server's IP need to be listed  
>in the allow-update declaration on the master zone server?
>
>Master Server - 1.2.3.4
>
>zone "actived.example.com" {
>         type master;
>         file "named.ad";
>         allow-update {
>		1.2.3.4;   	// master DNS server
>                 11.22.33.44;         // domain controller 1
>                 55.66.77.88.99;         // domain controller 2
>                 };
>         allow-transfer {
>                 5.6.7.8 // slave DNS server;
>                 };
>};
>
>Slave Server - 5.6.7.8
>
>zone "actived.example.com" {
>         type slave;
>         file "named.ad";
>         allow-update-forwarding {
>                 11.22.33.44;         // domain controller 1
>                 55.66.77.88.99;         // domain controller 2
>                 };
>         allow-transfer { none; };
>         masters {
>                 1.2.3.4 // master DNS server
>         };
>};

1) All updates for a zone need to be sent to the master server for that
   zone, as only the master can perform updates.  And one cannot assume
   that updates sent to a slave server will be forwarded to the
   master.  And the only place in DNS where the master server is listed
   is in the SOA record.

2) I am not sure of the answer.  If a DNS update is sent to a slave
   server and then forwarded to the master, I assume that the master
   will see the request as coming from the real source and not from
   the forwarding slave server.  So, I assume that the slave server is
   not updating the master, and thus does not need to be listed in the
   allow-update declaration.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list