Another way to find the primary server for a zone
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Thu May 10 23:35:00 UTC 2001
>
> At 4:48 PM +0100 5/10/01, Jim Reid wrote:
>
> > However if you plan to use
> > Dynamic DNS (DDNS), you *must* provide the name of the master server
> > in the MNAME. This is the only way for DDNS clients to find out where
> > to send their dynamic update requests. These obviously can only be
> > processed on the zone's master server.
>
> Interesting. I was not aware of this use of the MNAME field. I
> guess this kind of rules out stealth primaries, eh?
>
Dynamic updates are supposed to be able to be sent to any
server for the zone. If it is not the primary then it will
forward the message changing only the id and relay back
any answer restoring the id in the process. BIND 8 does
not support forwarding and returns NOTIMP (early version
returned REFUSED incorrectly). BIND 9 does support
forwarding, if you enable it, and returns NOTIMP if you
don't enable it. The servers use their own knowledge of
the zone transfer graph to find the primary. Looking at
th MNAME is just an optimisation.
TSIG does not cover the id to support this forwarding.
REFUSED is a legitimate answer from the primary so that is
why we return not NOTIMP on the slaves if they don't support
forwarding. You should retry if you get a NOTIMP until
you get a answer or exhaust the list of nameservers for
the zone. REFUSED is a answer in this context.
We only recommend turning on forwarding if and only if the
primary is using only TSIG or some other cryptographic
means to verify the authenticity of the update request.
The original IP address is masked by the slave so you can't
trust the IP address in this situation, especially given
how easy it is to forge a UDP datagram.
Note this is real forwarding not what is done when you use
a forwarder in named. The later strips off TSIG's before
generating a new query to the forwarder which may have a
different TSIG.
Mark
> --
> Brad Knowles, <brad.knowles at skynet.be>
>
> /* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
> /* Represented as 1045 digit prime number by Phil Carmody */
> /* Prime as DNS cname chain by Roy Arends and Walter Belgers */
> /* */
> /* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
> /* where title-key = "153 2 8 105 225" or other similar 5-byte key */
>
> dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list