h2n 2.38
Andris Kalnozols
andris at hpl.hp.com
Fri Jun 15 04:33:36 UTC 2001
> Kevin Darcy wrote:
>
> Okay, time for me to get on my soapbox again...
>
> IF YOUR NEEDS ARE THAT COMPLEX YOU SHOULDN'T BE
> BUILDING DNS FROM A HOSTS FILE ANYWAY!!!
>
> While I certainly respect h2n as a *migration* aid, I see many
> admins using it as a crutch long after they should have made DNS
> their central repository for hostname information. They hang onto
> their hosts files like it's some sort of security blanket or
> favorite teddy-bear. GROW UP! Time to bite the bullet and live
> in the DNS-centric world. You'll be glad when you take the plunge.
> Trust me, I made that transition years ago and never regretted it.
For the benefit of the DNS novices, what Kevin is referring to is
DNS Dynamic Update as introduced by RFC 2136. Zone updates are made
incrementally and in real time as opposed to regenerating the entire
zone for each change to an external database such as a host file.
DDNS is a Good Thing(tm) and it's use should be encouraged for
those whose environment justifies the bit of added complexity.
There are commercial software packages that use this or you can
roll your own solution. In the latter case, my soapbox admonition
is a rather obvious MAKE SURE YOU KNOW WHAT YOU'RE DOING!!!
Case in point: h2n (v2.38) audits its input and complains about
the common errors that pervade the DNS namespace, e.g.,
* RDATA fields of NS and MX records that point to CNAMEs
or domain names that lack A records or don't even exist
* SOA MNAME fields that do the same
* PTR records that don't point to domain names with A records
* dangling CNAMEs
* missing glue
* NS RRsets with inconsistent TTL values
Users of h2n, while not on the vanguard, can at least be assured
that they are not gross polluters of the namespace.
So, if you still want to sling around the nsupdate command or
use the DDNS capability of the Net::DNS Perl module, make sure
to craft your update prerequisites accordingly. You can always
use the zone verification feature of h2n to see how well your
DDNS application is doing. ;-)
Also, BIND 8 users considering the nsupdate command should be
aware that it requires a zone's master nameserver to appear
in the NS RRset as well as in the SOA RR's MNAME field, i.e.,
no stealth master is allowed because update forwarding is not
implemented. This presents a bit of a dilemma for a master
that's behind a firewall because including such an unreachable
nameserver in the NS RRset violates the best current practice
per RFC 2182. The solution for this is to either upgrade to
the latest version of BIND 9 which implements update forwarding
or write your own updater using Net::DNS.
Finally, as a self-serving plug using the "scared straight"
model, I've included the analysis of a zone which could be
yours if you don't download and use h2n RIGHT NOW!! ;-)
It's available in the BIND 8.2.4 distribution or at
< ftp://ftp.hpl.hp.com/pub/h2n/h2n.tar.gz >.
Andris Kalnozols
Hewlett-Packard Laboratories
andris at hpl.hp.com
...............................................................
Verifying zone data for domain '???.com'.
Getting NS RRset...
Transferring zone.... (from 'NS.???.com' [???.??.??.??])
Parsing zone data... (NS BIND version: SERVFAIL)
Warning: 'cilt' already exists as a CNAME.
> cilt 1H IN MX 2 muninn
Warning: 'palmgrants' already exists as another resource record.
> palmgrants 1D IN CNAME muninn
Warning: 'www.palmgrants' already exists as another resource record.
> www.palmgrants 1D IN CNAME muninn
Warning: 'design' already exists as a CNAME.
> design 1H IN MX 2 muninn
Performing in-zone and external lookups...
Warning: found NS RR(s) pointing to the following problematic domain name(s):
rayc.???.com. [no A record ]
foe-33.speech.???.com. [CNAME record]
Warning: found MX RR(s) pointing to the following problematic domain name(s):
qm.???.com. [no A record ]
babylon.???.com. [CNAME record]
frankenstein.???.com. [no A record ]
Warning: found PTR RR(s) pointing to the following problematic domain name(s):
0.0.18.128.in-addr.arpa. [no A record ]
Warning: found CNAME(s) pointing to the following problematic domain name(s):
frankenstein.???.com. [ no such RR ]
mddlearth.???.com. [ no such RR ]
huginn.???.com. [ no such RR ]
cford.sdd.???.com. [ NXDOMAIN ]
ruby.ai.???.com. [ NXDOMAIN ]
i4.northern.co.uk. [ timed out ]
Warning: found NS RR(s) to be missing the requisite glue record(s):
mt 43200 IN NS gw.sc
scg 43200 IN NS gw.scg
chic 86400 IN NS foe-33.speech
sc 43200 IN NS gw.sc
Warning: found zone(s) not having at least two listed nameservers (RFC-1034):
esd 86400 IN NS unify.essd
lab 86400 IN NS taos
sdd 800 IN NS puma.sdd
essd 86400 IN NS unify.essd
wdc2 86400 IN NS rayc
Warning: found NS RRset(s) with inconsistent TTL values (RFC-2181):
tdpweb 86400 IN NS oak.erg
3600 IN NS sfo.erg
3600 IN NS sjc.erg
3600 IN NS lax.erg
csl 86400 IN NS dns0.csl
3600 IN NS dns1.csl
glomo 86400 IN NS oak.erg
3600 IN NS sfo.erg
3600 IN NS sjc.erg
3600 IN NS lax.erg
systech 86400 IN NS sneezy
3600 IN NS marvin
cam 604800 IN NS ns1.cam
3600 IN NS ns2.cam
3600 IN NS ns3.cam
3600 IN NS ns.ai
ai 604800 IN NS ns.ai
3600 IN NS ns2.ai
3600 IN NS eql.caltech.edu.
sric 86400 IN NS dnsx
3600 IN NS unix
infotech 86400 IN NS oak.erg
3600 IN NS sfo.erg
3600 IN NS sjc.erg
3600 IN NS lax.erg
emerald 86400 IN NS dns0.csl
3600 IN NS dns1.csl
sdl 86400 IN NS dns0.csl
3600 IN NS dns1.csl
ctl 86400 IN NS oak.erg
3600 IN NS sjc.erg
3600 IN NS sfo.erg
3600 IN NS lax.erg
bagnet 86400 IN NS oak.erg
3600 IN NS sfo.erg
3600 IN NS sjc.erg
3600 IN NS lax.erg
chic 86400 IN NS foe-33.speech
3600 IN NS huge.speech
glomopi 86400 IN NS oak.erg
3600 IN NS sfo.erg
3600 IN NS sjc.erg
3600 IN NS lax.erg
Warning: found inconsistent NS RRsets surrounding the zone boundary (RFC-1034):
???.com. IN NS ns.???.com.
IN NS ns1.???.com.
IN NS turtle.mcc.com.
(non-authoritative)
---------------------------- zone cut ----------------------------
( authoritative )
@ IN NS dns0.csl.???.com.
IN NS ns.???.com.
IN NS ns1.???.com.
IN NS turtle.mcc.com.
Warning: verifying the NS delegations generated the following error(s):
Server turtle.mcc.com is not authoritative for ???.com
No response from taos.???.com (domain lab.???.com)
No response from marvin.???.com (domain systech.???.com)
Server ns1.???.com is not authoritative for tiger.???.com
Server ns.csl.???.com is not authoritative for css.???.com
Server mcc.com is not authoritative for css.???.com
No response from crvax.???.com (domain isl.???.com)
Server unix.???.com is not authoritative for isl.???.com
No response from puma.sdd.???.com (domain sdd.???.com)
Server oak.erg.???.com is not authoritative for bagnet.???.com
Server sfo.erg.???.com is not authoritative for bagnet.???.com
Server sjc.erg.???.com is not authoritative for bagnet.???.com
Server lax.erg.???.com is not authoritative for bagnet.???.com
Server oak.erg.???.com is not authoritative for tdpweb.???.com
Server sfo.erg.???.com is not authoritative for tdpweb.???.com
Server sjc.erg.???.com is not authoritative for tdpweb.???.com
Server lax.erg.???.com is not authoritative for tdpweb.???.com
Server ns1.???.com is not authoritative for lion.???.com
Server dca.wash.erg.???.com is not authoritative for wdc.???.com
Server sjc.erg.???.com is not authoritative for wdc.???.com
Server sfo.erg.???.com is not authoritative for wdc.???.com
Server oak.erg.???.com is not authoritative for wdc.???.com
Server lax.erg.???.com is not authoritative for wdc.???.com
Server oak.erg.???.com is not authoritative for glomo.???.com
Server sfo.erg.???.com is not authoritative for glomo.???.com
Server sjc.erg.???.com is not authoritative for glomo.???.com
Server lax.erg.???.com is not authoritative for glomo.???.com
Server ns1.???.com is not authoritative for giraff.???.com
Server oak.erg.???.com is not authoritative for infotech.???.com
Server sfo.erg.???.com is not authoritative for infotech.???.com
Server sjc.erg.???.com is not authoritative for infotech.???.com
Server lax.erg.???.com is not authoritative for infotech.???.com
Server unix.???.com is not authoritative for scg.???.com
Server oak.erg.???.com is not authoritative for glomopi.???.com
Server sfo.erg.???.com is not authoritative for glomopi.???.com
Server sjc.erg.???.com is not authoritative for glomopi.???.com
Server lax.erg.???.com is not authoritative for glomopi.???.com
Server unix.???.com is not authoritative for sc.???.com
More information about the bind-users
mailing list