dnssec updated zone data is not live ??
Gregory Machin
gregory.machin at gmail.com
Fri Dec 11 09:52:43 UTC 2009
On Fri, Dec 11, 2009 at 12:22 AM, Kevin Darcy <kcd at chrysler.com> wrote:
> Gregory Machin wrote:
>>
>> Hi
>> Please can you advise. I's been ages since I have configured dnssec .
>> I used nsupdate (with dnssec) to update a zone file with all the host
>> current ip's so that they are reachable via a host name even when the
>> ip has changed (a dyndns.org type of thing). Everything seems to work
>> fine named accepts the update and writes it to the .jnl file but when
>> it try and ping the updated host name I get "ping: unknown host
>> greg.za.protetor.net", and this is one the server running named. yet I
>> the logs show
>>
>> Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
>> external: updating zone 'device.example.net/IN': deleting rrset at
>> 'greg.device.example.net' A
>> Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
>> external: updating zone 'device.example.net/IN': adding an RR at
>> 'greg.device.example.net' A
>>
>> Which is correct from what I remember the last time I did this.
>>
>> my zone configuration:
>> /etc/named.conf
>> zone "device.example.net" {
>> type master;
>> file "/var/named/device.example.net.db";
>> allow-transfer { any; };
>> allow-update { key device.example.net; };
>> };
>>
>>
>> zone file:
>>
>> $ORIGIN .
>> $TTL 3600 ; 1 hour
>> device.example.net IN SOA ns1.example.net. ns2.example.net. (
>> 2009120805 ; serial
>> 900 ; refresh (15 minutes)
>> 600 ; retry (10 minutes)
>> 86400 ; expire (1 day)
>> 3600 ; minimum (1 hour)
>> )
>> NS ns1.example.net.
>> NS ns2.example.net.
>> A 205.234.215.112
>> MX 0 server.example.net.
>> $ORIGIN device.example.net.
>> $TTL 60 ; 1 minute
>> greg A 97.xxx.xxx.127
>>
>>
>>
>> Running:
>> BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5
>>
>>
>>
>
> First of all, are you talking about DNSSEC, or just plain Dynamic Update
> (presumably crypto-authenticated if this is going to be a
> publically-updateable zone)? I don't see any DNSSEC records in the zone file
> you posted.
>
> Secondly, if you do an AXFR of the zone after the Dynamic Update, does it
> reflect the change?
>
> Thirdly, on the machine which is originating the ping, how is it set up to
> resolve names? Does it only use DNS? Does it only use *itself* for resolving
> DNS? Is there some intermediate caching going on (e.g. nscd or equivalent)?
> If so, have you waited long enough for the entries to expire from that
> intermediate cache?
>
> - Kevin
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
Hi kevin
Just plain Dynamic Update with "crypto-authenticated" keys
if I do a dig on
root at server [~]# dig @ns1.example.net device.example.net A +tcp
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> @ns1.example.net
device.example.net A +tcp
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44660
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;device.example.net. IN A
;; ANSWER SECTION:
device.example.net. 3600 IN A 205.xxx.xxx.112
;; AUTHORITY SECTION:
device.example.net. 3600 IN NS ns1.example.net.
device.example.net. 3600 IN NS ns2.example.net.
;; Query time: 1 msec
;; SERVER: 205.234.215.113#53(205.234.215.113)
;; WHEN: Fri Dec 11 03:30:08 2009
;; MSG SIZE rcvd: 85
There should be an A record for a host greg.device.example.net. IN A
97.xxx.xxx.127
Yet if I cat the zone file there is a record
greg A 97.xxx.xxx.127
I'm doing the ping on the dns server that is hosting the
device.example.net zone ..
Thanks for your assistance ..
More information about the bind-users
mailing list