BIND9 and Firewall on same system with dns update errors.

Kevin Darcy kcd at daimlerchrysler.com
Fri Oct 18 22:31:44 UTC 2002 



-- Attached file included as plaintext by Ecartis --

X-Mozilla-Status2: 00000000
Message-ID: <3DB08974.B6C65B6 at chrysler.com>
Date: Fri, 18 Oct 2002 18:21:40 -0400
From: Kevin Darcy <rerogers at chrysler.com>
X-Mailer: Mozilla 4.74 [en] (X11; U; SunOS 5.8 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: comp-protocols-dns-bind at isc.org
Subject: Re: BIND9 and Firewall on same system with dns update errors.
References: <f350f251.0210180047.33de4c26 at posting.google.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Mohit Aurora wrote:

> Hello Everyone,
>
> I am a newbi in the field of system administration. The scenario of my
> netowrk is as following:
>
> 1. I have BIND9.2.1 and IBM Secureway Firewall 4.2 installed on same
> machine on AIX 4.3.3 ML10. This system is resolving the names of
> internal systems as well as forwarding to external dns for internet
> access etc.
>
> 2. A secondary name server is configured on Windows 2000 server
> machine. This is able to load the zone files from primary server
> (BIND9.x/AIX4) however there are problems with update (explained
> below).
>
> 3. There are three more systems with Globally valid IPs on DMZ.
>
> Lets assume here that Global IP of primary DNS is ppp.ppp.ppp.ppp
> and local IP is PPP.PPP.PPP.PPP similarly we can assume for secondary
> DNS and lets denote the three systems in DMZ as ddd.ddd.ddd.ddd and
> mmm.mmm.mmm.mmm and zzz.zzz.zzz.zzz. (Sorry for the inconvenience here
> but security policies dont allow me for certain things). The error
> message which we are getting from BIND9 are as under:
>
> Oct 18 13:49:43.517 client ddd.ddd.ddd.ddd#15225 : update
> 'ourdomain/IN' denied
>                              (DMZ system)
> (THIS ERROR REPEATS FOR ALL DMZ SYSTEM)
>
> Oct 18 13:50:15.521 client SSS.SSS.SSS.SSS#2914 : updating
>                            (secondary DNS)
> zone 'ourdomain/IN' : update failed 'RRset exist (value dependent)'
> prerequisite not satisfied (NXRRSET)
> Oct 18 13:50:16.525 client SSS.SSS.SSS.SSS#2917 : updating
>                            (secondary DNS)
> zone 'ourdomain/IN' : update failed 'rrset doesn't exist' prerequisite
> not satisfied (YXRRSET)
>
> (THESE TWO ERROR REPEAT THEMSELVES AT IRREGULAR INTERVALS)

I don't think the firewall has any relevance here. Any external
nameserver tends to get these update attempts from misconfigured Windows
2000 boxes. How those Win2K boxes get certain domains in their
configurations remains a mystery to me (for example, we have many dozens
of external domains and updates are attempted for only *some* of those
domains, but many of those target domains are obscure and basically
no-one should even know about them).

The requests are being denied, so what exactly is your concern?


- Kevin

More information about the bind-users mailing list