Recursive server forwarding dynamic updates

Mark Andrews marka at isc.org
Wed Oct 2 10:31:14 UTC 2013 

In message <CAMTzf0FCAt=zG3+OZKaYyxzDTdUWhUmBBzZSz0zOMOjBhEhY5g at mail.gmail.com>
, Bojan Tomic writes:
> 
> Thanks Phil!
> 
> I've tried  "allow-update-forwarding", but my understanding is that this
> option only works for slave servers!? What i'm looking for is dynamic
> update forwarding from non-authoritative server. Can allow-update-forwarding
> also work with non-authoritative server?  We are building an internal
> closed solution so source IP checking is not necessary.

No there is no support for forwarding updates except when configured as
a slave server.

Also TSIG signatures are preserved when UPDATE requests are forwarded.
TSIG was designed to allow signed messages to be forwarded.  The
ID field is not covered by the the TSIG to allow the message to be
forwarded.  The slave does NOT have to know the shared TSIG secret.

> On Wed, Oct 2, 2013 at 8:56 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> 
> > On 10/02/2013 07:51 AM, Bojan Tomic wrote:
> >
> >> Hi,
> >>
> >> I'm looking for a way to setup a recursive/forwarding named server to
> >> forward dynamic updates
> >>
> >
> > See "allow-update-forwarding" in the ARM. Obviously you will lose source
> > IP / TSIG key info, so will need to perform access checks at the forwarding
> > server, and allow everything you need at the target server from the
> > source/key of the forwarder.
> > ______________________________**_________________
> > Please visit https://lists.isc.org/mailman/**listinfo/bind-users<https://li
> sts.isc.org/mailman/listinfo/bind-users>to unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/m
> ailman/listinfo/bind-users>
> >
> 
> --001a1130ca2e6daa0d04e7be076f
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr">Thanks Phil!<div><br></div><div>I've tried=A0<span sty=
> le=3D"font-family:arial,sans-serif;font-size:13px">=A0</span><font face=3D"=
> arial, sans-serif">"allow-update-forwarding", but my=A0understand=
> ing=A0is that this option only works for slave servers!? What i'm looki=
> ng for is dynamic update forwarding from non-authoritative server. Can=A0</=
> font><span style=3D"font-family:arial,sans-serif">allow-update-forwarding a=
> lso work with non-</span><font face=3D"arial, sans-serif">authoritative ser=
> ver?</font><span style=3D"font-family:arial,sans-serif">=A0 We are building=
>  an internal closed solution so source IP checking is not necessary.</span>=
> </div>
> <div><font face=3D"arial, sans-serif"><br></font></div><div class=3D"gmail_=
> extra"><br><br><div class=3D"gmail_quote">On Wed, Oct 2, 2013 at 8:56 AM, P=
> hil Mayers <span dir=3D"ltr"><<a href=3D"mailto:p.mayers at imperial.ac.uk"=
>  target=3D"_blank">p.mayers at imperial.ac.uk</a>></span> wrote:<br>
> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
> left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
> adding-left:1ex"><div class=3D"im">On 10/02/2013 07:51 AM, Bojan Tomic wrot=
> e:<br>
> 
> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
> left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
> adding-left:1ex">
> Hi,<br>
> <br>
> I'm looking for a way to setup a recursive/forwarding named server to<b=
> r>
> forward dynamic updates<br>
> </blockquote>
> <br></div>
> See "allow-update-forwarding" in the ARM. Obviously you will lose=
>  source IP / TSIG key info, so will need to perform access checks at the fo=
> rwarding server, and allow everything you need at the target server from th=
> e source/key of the forwarder.<br>
> 
> ______________________________<u></u>_________________<br>
> Please visit <a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" =
> target=3D"_blank">https://lists.isc.org/mailman/<u></u>listinfo/bind-users<=
> /a> to unsubscribe from this list<br>
> <br>
> bind-users mailing list<br>
> <a href=3D"mailto:bind-users at lists.isc.org" target=3D"_blank">bind-users at li=
> sts.isc.org</a><br>
> <a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" target=3D"_bl=
> ank">https://lists.isc.org/mailman/<u></u>listinfo/bind-users</a><br>
> </blockquote></div><br></div></div>
> 
> --001a1130ca2e6daa0d04e7be076f--
> 
> --===============7893024926507508332==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============7893024926507508332==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list