Dynamic Updates

Mon Sep 25 10:13:03 UTC 2000

>>>>> ">" == nospam  <nospam at httpcolon.com> writes:

	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	Please use a proper email address.

    >> I am currently running bind version 8.2.2-p5. Are there any
    >> differences between 8.2.2-p5 and the new version 9 relating to
    >> dynamic updates?

No, well nothing that matters to you. There are some minor changes in
the command-line arguments for nsupdate and some extra functionality
in the BIND9 version, but the DNS update protocol hasn't changed.

    >> I noticed in my 8.2.2-p5 docs that the "key" section used to
    >> authenticate zone updates is ignored, but I also see that some
    >> people on the list have had some success with it. Is that V9
    >> only? Also the docs for nsupdate don't specify how to send the
    >> key along with the request.

Have you read the man page for nsupdate? I quote from the BIND8 one:

ARGUMENTS
     -k          Sign updates with TSIG
	.....
EXAMPLES 
	.....
     In this example, the nsupdate will be signed with the key "mykey", which
     is in the directory "/var/named/keys".

           $ nsupdate -k /var/named/keys:mykey
           > update add ftp.example.com 60 A 192.168.5.1  

     >> I noticed in my 8.2.2-p5 docs that the "key" section used to 
     >> authenticate zone updates is ignored, but I also see that some
     >> people on the list have had some success with it. Is that V9
     >> only? Also the docs for nsupdate don't specify how to send the
     >> key along with the request.

What "documentation" says this? Have you looked at the contents of the
BIND8 doc tarball? The key{} statement is not ignored in 8.2.2P5. As
the documentation states. Perhaps you're reading out of date documents
or are not reading the official ISC documentation? I've already quoted
from the 8.2.2P5 man page for nsupdate which includes an example of
how to sign an update request with a TSIG key.

    >> When a zone is updated dynamically, how quickly is the zone
    >> file rewritten in case of a server crash? Is it possible to
    >> signal the server to write out all updated domains immediately
    >> or to configure it to happen more often?

A dynamic update does not succeed until the change has been committed
to stable storage. Read RFC2136. In the case of BIND, the updates are
written to a log file. So if the server crashes, the name server just
replays the transactions in the log to restore the DNS zone to the
state it was in before the crash. Periodically, the name server writes
out a new zone file. "merging" the contents of the log file which then
gets emptied. Consult src/bin/named/ns_defs.h in BIND8 for details of
when this is done.

     >> Are there any perl scripts out there that do dynamic updates
     >> that I can use as a model for my own purposes?

Very probably, but why don't you use the tool that's shipped with BIND
for that purpose: nsupdate?