DDNS and allow-update declarations
Nicholas F Miller
Nicholas.Miller at Colorado.EDU
Wed Dec 10 19:09:50 UTC 2008
Barry & Jonathan,
Thanks for the quick replies. your responses go along with my findings
as well. I am trying to clean up some of our configs. The DDNS zones
just didn't look right to me and I wanted to confirm what I was
Jonathan, I tested things on a test DC by pointing it at a DNS server
here that wasn't athoritative for its zone. When I made a change the
update happened almost immediately on the master server. This behavior
follows the logic of updates following the SOA.
Barry, from what I can find I don't think the slave needs to be listed
nor does the master in the allow-update directive. If I have time
tomorrow I might test this out in our test AD.
Nicholas Miller, ITS, University of Colorado at Boulder
On Dec 10, 2008, at 10:42 AM, Jonathan Petersson wrote:
> I did some testing with this couple a months ago and it seams like
> AD is following the NS directive in the SOA.
> The design I used in my test-case was to put AD as an authoritative
> updater of the specified zone on my master, once updated the BIND
> master was responsible for updating the slaves.
> Something you can do is add NS records in AD pointing at your BIND
> slave-servers for the zone, and vice versa configure your slaves to
> have the AD as master for the zone, what I've experienced is that
> updates of new records tends to be REALLY slow, thus I would go with
> the first option.
On Dec 10, 2008, at 10:48 AM, bsfinkel at anl.gov wrote:
> 1) All updates for a zone need to be sent to the master server for
> zone, as only the master can perform updates. And one cannot assume
> that updates sent to a slave server will be forwarded to the
> master. And the only place in DNS where the master server is listed
> is in the SOA record.
> 2) I am not sure of the answer. If a DNS update is sent to a slave
> server and then forwarded to the master, I assume that the master
> will see the request as coming from the real source and not from
> the forwarding slave server. So, I assume that the slave server is
> not updating the master, and thus does not need to be listed in the
> allow-update declaration.
More information about the bind-users