Another way to find the primary server for a zone

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Thu May 10 23:35:00 UTC 2001 

> 
> At 4:48 PM +0100 5/10/01, Jim Reid wrote:
> 
> >                                         However if you plan to use
> >  Dynamic DNS (DDNS), you *must* provide the name of the master server
> >  in the MNAME. This is the only way for DDNS clients to find out where
> >  to send their dynamic update requests. These obviously can only be
> >  processed on the zone's master server.
> 
> 	Interesting.  I was not aware of this use of the MNAME field.  I 
> guess this kind of rules out stealth primaries, eh?
> 

	Dynamic updates are supposed to be able to be sent to any
	server for the zone.  If it is not the primary then it will
	forward the message changing only the id and relay back
	any answer restoring the id in the process.  BIND 8 does
	not support forwarding and returns NOTIMP (early version
	returned REFUSED incorrectly).  BIND 9 does support
	forwarding, if you enable it, and returns NOTIMP if you
	don't enable it.  The servers use their own knowledge of
	the zone transfer graph to find the primary.  Looking at
	th MNAME is just an optimisation.

	TSIG does not cover the id to support this forwarding.
	REFUSED is a legitimate answer from the primary so that is
	why we return not NOTIMP on the slaves if they don't support
	forwarding.  You should retry if you get a NOTIMP until
	you get a answer or exhaust the list of nameservers for
	the zone.  REFUSED is a answer in this context.

	We only recommend turning on forwarding if and only if the
	primary is using only TSIG or some other cryptographic
	means to verify the authenticity of the update request.
	The original IP address is masked by the slave so you can't
	trust the IP address in this situation, especially given
	how easy it is to forge a UDP datagram.

	Note this is real forwarding not what is done when you use
	a forwarder in named.  The later strips off TSIG's before
	generating a new query to the forwarder which may have a
	different TSIG.

	Mark
> -- 
> Brad Knowles, <brad.knowles at skynet.be>
> 
> /*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
> /*       Represented as 1045 digit prime number by Phil Carmody         */
> /*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
> /*                                                                      */
> /*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
> /*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */
> 
> dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list