dnssec updated zone data is not live ??

Thu Dec 10 22:22:35 UTC 2009

Gregory Machin wrote:
> Hi
> Please can you advise. I's been ages since I have configured dnssec .
> I used nsupdate (with dnssec) to update a zone file with all the host
> current ip's so that they are reachable via a host name even when the
> ip has changed (a dyndns.org type of thing).  Everything seems to work
> fine named accepts the update and writes it to the .jnl file but when
> it try and ping the updated host name  I get "ping: unknown host
> greg.za.protetor.net", and this is one the server running named. yet I
> the logs show
>
> Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
> external: updating zone 'device.example.net/IN': deleting rrset at
> 'greg.device.example.net' A
> Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
> external: updating zone 'device.example.net/IN': adding an RR at
> 'greg.device.example.net' A
>
> Which is correct from what I remember the last time I did this.
>
> my zone configuration:
> /etc/named.conf
> zone "device.example.net" {
>         type master;
>         file "/var/named/device.example.net.db";
>         allow-transfer { any; };
>         allow-update { key device.example.net; };
> };
>
>
> zone file:
>
> $ORIGIN .
> $TTL 3600	; 1 hour
> device.example.net         IN SOA  ns1.example.net. ns2.example.net. (
>                                 2009120805 ; serial
>                                 900        ; refresh (15 minutes)
>                                 600        ; retry (10 minutes)
>                                 86400	   ; expire (1 day)
>                                 3600	   ; minimum (1 hour)
>                                 )
>                         NS	ns1.example.net.
>                         NS	ns2.example.net.
>                         A	205.234.215.112
>                         MX	0 server.example.net.
> $ORIGIN device.example.net.
> $TTL 60 ; 1 minute
> greg                    A	97.xxx.xxx.127
>
>
>
> Running:
> BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5
>
>
>   
First of all, are you talking about DNSSEC, or just plain Dynamic Update 
(presumably crypto-authenticated if this is going to be a 
publically-updateable zone)? I don't see any DNSSEC records in the zone 
file you posted.

Secondly, if you do an AXFR of the zone after the Dynamic Update, does 
it reflect the change?

Thirdly, on the machine which is originating the ping, how is it set up 
to resolve names? Does it only use DNS? Does it only use *itself* for 
resolving DNS? Is there some intermediate caching going on (e.g. nscd or 
equivalent)? If so, have you waited long enough for the entries to 
expire from that intermediate cache?

- Kevin