DDNS
Simon Hobson
dhcp at thehobsons.co.uk
Tue May 2 14:33:07 UTC 2006
Andrea Bencini wrote:
>With a Windows 2000 professional (SP4) only reverse zone is updated .
>With a Windows XP professional (SP1) reverse and direct zone are updated.
>(the first log 10.100.0.99 is windows 2000 professional)
>(the second log 10.100.0.88 is windows Xp professional)
>Could you tell me why? and the solution?
It's a known 'issue'. There is a flag which the client can set in
it's requests to say that the client will do it's own forward updates
- and in an MS only world this would just happen automagically behind
the scenes. There is a flag (ignore-client-updates IIRC) you can set
in the dhcpd.conf to override this - setting it may or may not be
'the right' thing to do ...
Suppose you have a laptop, normally known as laptop.mydomain.com, and
you visit somewhere else. You plug it into the network and get an
address. With client updates turned on, and the right access control
in place, it can update the dns for mydomain.com so that
laptop.mydomain.com is the correct address and other people can still
access it by that name (subject to firewalls etc).
If you force the dhcp server to do forward updates, then it cannot do
this update (unless you've got some prior arrangement in place to
allow it), so the machine becomes
laptop.sometotallydifferentdomain.com and is effectively gone from
the network because laptop.mydomain.com either still points to it's
previous address or is deleted because the lease has expired.
Either way, it is correct for the dhcp server to do the reverse zone
update since it will (or should) have an existing ability to update
the reverse zones for the subnets it serves.
You can see the client attempting an update in these log entries :
>Apr 28 16:22:45 p-suse named[4251]: client 10.100.0.99#1086: updating zone
>'tlcovernet.local/IN': update unsuccessful: casa.tlcovernet.local/A: 'RRset
>exists (value dependent)' prerequisite not satisfied (NXRRSET)
>Apr 28 16:22:45 p-suse named[4251]: client 10.100.0.99#1089: update
>'tlcovernet.local/IN' denied
>Apr 28 16:22:45 p-suse named[4251]: client 10.100.0.99#1094: update
>'0.100.10.in-addr.arpa/IN' denied
>Apr 28 16:22:46 p-suse named[4251]: client 10.100.0.99#1100: updating zone
>'tlcovernet.local/IN': update unsuccessful: casa.tlcovernet.local/A: 'RRset
>exists (value dependent)' prerequisite not satisfied (NXRRSET)
>Apr 28 16:22:46 p-suse named[4251]: client 10.100.0.99#1103: update
>'tlcovernet.local/IN' denied
>Apr 28 16:22:46 p-suse named[4251]: client 10.100.0.99#1108: update
>'0.100.10.in-addr.arpa/IN' denied
I should point out that it is very insecure to allow clients to be
performing updates on your dns server, once you allow any updates,
then you are reliant on all the clients behaving honourably and not
deleting (or worse changing) important dns records. For example, it
would be trivial for someone to put up a server that looks like your
important server, then change the dns so that server.somedomain.com
points at the rogue server, and suddenly all your clients are
connecting to a rogue server with all the implications that go with
it.
Simon
More information about the dhcp-users
mailing list