nsupdate's choice of interface

Jim Reid jim at rfc1035.com
Wed Dec 20 09:52:31 UTC 2000 

>>>>> "Kenneth" == Kenneth Porter <shiva at well.com> writes:

    Kenneth> I tried using nsupdate to write a record to the database,
    Kenneth> just to see if it works, and it looks like it's using the
    Kenneth> *wrong interface* to communicate with named. According to
    Kenneth> the nsupdate man page, it uses resolv.conf to decide what
    Kenneth> interface to use, but the named error message in the log
    Kenneth> file suggests otherwise.

It looks like you've misunderstood the man page. nsupdate does not use
resolv.conf to decide which name server interface to use. The man page
does not say that nsupdate does that either - well not in my copy
anyway. [If it does say that, then file a bug report or upgrade to an
up to date version of BIND.] Please consider the implications if what
you said was true. The addresses used by a resolver for sending
lookups are not necessarily the addresses of the master name server
for every possible zone that applications on the local system might
want to dynamically update. Some computer might run a caching-only
server and list its own asdresses in resolv.conf. Sending dynamic
updates to that name server - which isn't authoritative for anything!
- would not be sensible.

nslookup does use resolv.conf, but not for firing updates at the IP
addresses of the file's nameserver directives. It uses resolv.conf to
figure out where it sends queries. nslookup has to find the SOA record
for the zone that's to be updated. The MNAME field of that record
identifies the zone's master server and that's where nsupdate sends
its update requests. nsupdate also uses resolv.conf to resolve the IP
address(es) of that host. The BIND9 nsupdate has a server command to
get it to send updates to a specific host rather than the zone's SOA
record MNAME. I don't know or care if the BIND8 nsupdate does this.

You should be *very* careful about controlling dynamic updates based
on IP address. [BTW, why should the server care which interface it
gets the update request from?] Authentication based on IP addresses is
very weak. They can easily be forged, especially for UDP activity. By
default nsupdate uses UDP. If you must use Dynamic DNS, use Secure
Dynamic DNS and give the updater and updatee a shared secret that they
can use to generate TSIG records on the update transactions. This
allows both parties to authenticate each other. Unless a forger knows
the shared secret, they won't be able to get the name server to
process bogus update requests.

More information about the bind-users mailing list