BIND 10 #2005: DDNS documentation
BIND 10 Development
do-not-reply at isc.org
Mon Jun 18 16:02:05 UTC 2012
#2005: DDNS documentation
-------------------------------------+-------------------------------------
Reporter: | Owner: jinmei
jinmei | Status: reviewing
Type: task | Milestone:
Priority: very | Sprint-20120619
high | Resolution:
Component: DDNS | Sensitive: 0
Keywords: | Sub-Project: DNS
Defect Severity: N/A | Estimated Difficulty: 6
Feature Depending on Ticket: DDNS | Total Hours: 0
Add Hours to Ticket: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Comment (by jreed):
I have a few comments and questions.
{{{
When the processing is completed <command>b10-ddns</command>
will send a response to the client with the processing result.
}}}
What does "processing result" mean? (In guide and manpage.)
{{{
If the zone has been changed as a result, it will internally
notify <command>b10-auth</command> and
<command>b10-xfrout</command> so the new version of the zone will
be served
}}}
Does that mean there is two different zone databases and it tells auth to
use the new one?
For consistent style: some uses of term "process" maybe should be
"component" instead.
{{{
Clients cannot reuse the
same TCP connection for multiple requests.
}}}
Is this a limitation or bug in BIND 10? Or is this per the specification?
Is there a ticket about update forwarding? If so, maybe put it as a
comment in the part about that. Maybe make that paragraph a <note> too.
{{{
In addition, <command>b10-xfrout</command> should also be
configured to run; otherwise the notification after an update
(see above) will fail with a timeout, suspending the DDNS
service while <command>b10-ddns</command> waits for the response.
}}}
Is this a bug? Any ticket? What if admin forgets to configure this? Is
there any warning or error in the logging? How long is it suspended?
(forever until BIND 10 is restarted?)
What ticket number for "The way to configure data sources is now being
revised." ?
What happens if b10-ddns component is configured and started but
dependencies aren't enabled? Any warning logged? (Or just doesn't do
anything?)
{{{
> <userinput>config set Boss/components/b10-ddns/address
DDNS</userinput>
}}}
I don't understand "address" well. Why doesn't it know the address is
DDNS? It seems obvious.
("The address is by convention the thing after b10-, with the first letter
capital") So maybe change code to be "Ddns" or allow it to be case-
insensitive and then remove the obvious configuration?
{{{
> <userinput>config set Boss/components/b10-ddns/kind
dispensable</userinput>
}}}
That is the default so doesn't need to be documented.
{{{
To allow updates to take effect, an access control rule
(called update ACL) with that policy must explicitly be
configured.
}}}
What is "that policy"?
{{{
<term>class</term>
<listitem>
<simpara>The RR class of the zone
(normally <quote>IN</quote>)</simpara>
</listitem>
}}}
Any default class IN for this? Or does it always have to be defined?
Now I see later: "(The <quote>class</quote> can be omitted)." so maybe
move that sentence earlier and really do omit it and just mention it using
default class.
Any plans for specific fine-grained policies like BIND 9 provides? (Now I
see it mentioned later in the guide.) Any ticket(s) for this?
Do index numbers like zero in "DDNS/zones[0]/origin" match up with index
numbers used by other components? (I don't think so and this is probably
not related to this ticket.)
{{{
The following configuration sequence will add to the previous
ACL a rule that allows update requests sent from a client
using TSIG key name of "key.example" and has an IPv6 address of
::1.
<screen>
> <userinput>config add DDNS/zones[0]/update_acl {"action": "ACCEPT",
"from": "::1", "key": "key.example"}</userinput>
}}}
That seems strange to "add to the previous". Maybe use "set" to set the
"from"? (I need to test to verify.) (Ignore the fact that zero becomes
one -- that seems like a bug.)
Why have two rules now? Now I see they are different -- maybe clearly say
"using a different TSIG key name"?
Also maybe the documentation should not show examples of adding entire
JSON objects, but should add and then set each item individually to be
clear.
I assume this rule processing stops on first match and continues through
entire list only if no matches. Maybe document about this in the guide?
Is there any purpose to have an "action": "REJECT" rule?
Any example of when to use a "DROP" rule? (Does "DROP" work?)
Any way to restrict updates to TCP only?
{{{
One known specific bad result of this is that it could leak
information about which name or record exists or does not
...
}}}
What is "this"? Is this using the RFC specification way? Or using the BIND
10 way?
{{{
or make sure the update request also updates related DNSSEC
records, but that will be pretty error-prone operation.
}}}
Why error-prone? It seems like I have heard of non-BIND9 DNSSEC
maintenance tools that do use DDNS.
{{{
If you need to make manual updates to a dynamic zone,
you'll need to temporarily reject any updates to the zone via
the update ACLs.
}}}
Why? Will something fail if you manually update the SQLite3 database
directly? I understand it may
be changed soon after but that would be same as thawing anyway.
{{{
Zones listed in
<quote>secondary_zones</quote> will never be updated via DDNS
regardless of the update ACL configuration.
}}}
What will b10-ddns (or b10-auth?) respond to client with? REFUSED? NOTIMP?
Other?
Update date stamp in man page. Also update the HISTORY to mention when it
first works. Man page can mention default IN class.
I am not sure how to word it, but maybe man page should mention there may
be multiple update_acl lists.
Those are my comments before using it :)
--
Ticket URL: <http://bind10.isc.org/ticket/2005#comment:8>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list