DDNS and allow-update declarations

Nicholas F Miller Nicholas.Miller at Colorado.EDU
Wed Dec 10 19:09:50 UTC 2008

Barry & Jonathan,

Thanks for the quick replies. your responses go along with my findings  
as well. I am trying to clean up some of our configs. The DDNS zones  
just didn't look right to me and I wanted to confirm what I was  

Jonathan, I tested things on a test DC by pointing it at a DNS server  
here that wasn't athoritative for its zone. When I made a change the  
update happened almost immediately on the master server. This behavior  
follows the logic of updates following the SOA.

Barry, from what I can find I don't think the slave needs to be listed  
nor does the master in the allow-update directive. If I have time  
tomorrow I might test this out in our test AD.
Nicholas Miller, ITS, University of Colorado at Boulder

On Dec 10, 2008, at 10:42 AM, Jonathan Petersson wrote:

> I did some testing with this couple a months ago and it seams like  
> AD is following the NS directive in the SOA.
> The design I used in my test-case was to put AD as an authoritative  
> updater of the specified zone on my master, once updated the BIND  
> master was responsible for updating the slaves.
> Something you can do is add NS records in AD pointing at your BIND  
> slave-servers for the zone, and vice versa configure your slaves to  
> have the AD as master for the zone, what I've experienced is that  
> updates of new records tends to be REALLY slow, thus I would go with  
> the first option.
> /Jonathan

On Dec 10, 2008, at 10:48 AM, bsfinkel at anl.gov wrote:

> 1) All updates for a zone need to be sent to the master server for  
> that
>   zone, as only the master can perform updates.  And one cannot assume
>   that updates sent to a slave server will be forwarded to the
>   master.  And the only place in DNS where the master server is listed
>   is in the SOA record.
> 2) I am not sure of the answer.  If a DNS update is sent to a slave
>   server and then forwarded to the master, I assume that the master
>   will see the request as coming from the real source and not from
>   the forwarding slave server.  So, I assume that the slave server is
>   not updating the master, and thus does not need to be listed in the
>   allow-update declaration.

More information about the bind-users mailing list