denied updates wiredness
Brad Knowles
brad.knowles at skynet.be
Thu Jul 26 05:57:27 UTC 2001
At 8:23 PM -0500 7/25/01, Hannah O Day wrote:
> I searched the archive, but couldn't find any answer. I have a master and
> a slave. THe master is configured only accept updates from two dhcp
> servers and from itself.
Hopefully, they are defined to require a key, and not by IP address.
> Other then that the master is completely
> invisible to the rest of the world. What's strange is that I see lots of
> individuals who are using static ips and some dns servers that are only
> supposed to do zone transfer off my slave are trying to send update to the
> master. Of course, the master is denying them. But they just keep coming,
> full up the syslog. Could anyone tell what's going on?
Well, either the master is defined in the DNAME field of your
SOA, or the DHCP servers are forwarding the updates that they are
receiving from other machines (because the other machines think that
the DHCP servers are the master and send their updates to them, but
the DHCP servers know better and forward those updates to the real
master).
If the DHCP servers had been defined by IP address, then once
they forwarded the updates, those would be accepted because the
master would only be able to see that they had come from the DHCP
servers and not the original updater. This is why you want to make
sure that you allow updates only by key, because in that case the key
information from the original updater will also be forwarded, and
that way you can detect the difference between an update that
actually originated on the DHCP server and one that the DHCP server
merely forwarded on.
Basically, this is normal. There's not anything you can do about
it unless you fix all the clients to stop trying to update your
servers.
--
Brad Knowles, <brad.knowles at skynet.be>
H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA
More information about the bind-users
mailing list