8.2.3-REL dynamic updates
shawn.ohail at firstunion.com
shawn.ohail at firstunion.com
Fri Mar 23 22:00:52 UTC 2001
I really hope this hasn't been asked too many times. I've searched the
archives and found nothing relevant to 8.2.3-REL (Sol7)
I'm trying to get dynamic updates to work with a stealth master and
TSIGs...
updates work when the master _is_ listed in the NS records, but fail when
removed.
I thought the client was suppsed to send the update to the server listed in
the SOA? Instead I'm seeing it get sent to one of the
slaves.
When the slave is not configured with the KEY and allow-update clauses it
returns a NOTAUTH
When configured with KEY and allow-update, returns NOTIMP.
I'm assuming that to allow the slave to forward updates to the master it
needs KEY and allow-update.
MASTER config:
key foobar.com { algorithm hmac-md5; secret "XXXX"; };
zone "foobar.com" in {
type master;
file "primary/foobar.com";
notify yes;
allow-update { key foobar.com; };
};
SLAVE config:
zone "foobar.com" in {
type slave;
masters { 192.168.1.36; };
};
NSUPDATE out (run on master)
devns0# nsupdate -k /var/named/keys:foobar.com. -d
> update add host.foobar.com 86400 IN A 192.168.1.35
>
;; res_findzonecut: START dname='host.foobar.com' class=IN, zsize=1025,
naddrs=3
;; res_findzonecut: get the soa, and see if it has enough glue
;; res_nmkquery(QUERY, host.foobar.com., IN, SOA)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58121
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; host.foobar.com, type = SOA, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58121
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; host.foobar.com, type = SOA, class = IN
;; AUTHORITY SECTION:
foobar.com. 1D IN SOA devns0.foobar.com.
hostmaster.foobar.com. (
15 ; serial
6H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
;; res_findzonecut: get the ns rrset and see if it has enough glue
;; res_nmkquery(QUERY, foobar.com, IN, NS)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58122
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; foobar.com, type = NS, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58122
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUERY SECTION:
;; foobar.com, type = NS, class = IN
;; ANSWER SECTION:
foobar.com. 1D IN NS devcs1.foobar.com.
;; ADDITIONAL SECTION:
devcs1.foobar.com. 1D IN A 192.168.1.37
;; res_findzonecut: get the missing glue and see if it's finally enough
;; res_findzonecut: add_addrs: 1
;; res_findzonecut: satisfy(devns0.foobar.com): 1 <-- What
does this mean?
;; res_findzonecut: FINISH n=1 (OK)
;; res_nupdate: res_mkupdate -> 53
;; res_send()
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 58123
;; flags:; ZONE: 1, PREREQUISITE: 0, UPDATE: 1, ADDITIONAL: 1
;; foobar.com, type = SOA, class = IN
host.foobar.com. 1D IN A 192.168.1.35
foobar.com. 0S ANY TSIG HMAC-MD5.SIG-ALG.REG.INT. 0
;; Querying server (# 1) address = 192.168.1.37
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 58123
;; flags: qr ra; ZONE: 1, PREREQUISITE: 0, UPDATE: 0, ADDITIONAL: 1
;; foobar.com, type = SOA, class = IN
. 0S ANY TSIG . 17
;; res_nupdate: res_nsend: send error, n=-1 (Inappropriate ioctl for
device)
Again, sorry if this has been posted already...
Shawn O'Hail
First Union National Bank
More information about the bind-users
mailing list