Logging and errormessages

Kevin Darcy kcd at daimlerchrysler.com
Sat Sep 4 01:53:09 UTC 2004 

Tom Schmitt wrote:

>Hi,
>
>I use Bind 9.3 and the Admins are allowed to update the DNS-RR with
>nsupdate. Now I have two wishes and maybe one of you can gave me a hint how
>to do it:
>
>First, I want to log who update what RR with nsupdate. The only idea I have
>is to write a wrapper around nsupdate which do the logging. Or is there a
>way to let nsupdate write a logfile on his own?
>The Logfile of the Bind-server is not useable, because there are also the
>updates from other DNS-server in it and when I grep the right updates, I
>have Problems with the rotating of the Logfiles not to miss any records.
>Also, I miss who (which user) made the update.
>
Yes, write a wrapper around nsupdate. In fact, our environment is kind 
of like that, but perhaps more accurately described as a website that 
uses nsupdate as a backend to make the actual DNS updates (one of these 
days, I plan to rewrite the system to use the Net::DNS Perl module's 
innate Dynamic Update capabilities instead of wrapping nsupdate). In 
this way, we can implement extensive logging and access-control 
functionality.

>The second Problem is: Is there a way to get a response from the
>Bind-Server, if an update go wrong? For example:
>The Admin want to delete the myname.mydomain.com, but accidently he typed
>mygame.mydomain.com
>Of course, the bind cannot guess, what the user have meant, but is there a
>possibility to get an errormessage, if the Record mygame.mydomain.com
>doesn't exist?
>
That's what prerequisites are for. Set an nxrrset prerequisite in your 
"add" Dynamic Updates. If the name/type combination already exists in 
the database, then you'll get an YXRRSET response instead of the 
expected NOERROR response. If you expect the name to not exist with 
records of *any* type, then set an nxdomain prerequisite instead, and 
you'll get a YXDOMAIN response if the name exists. You should already 
have some sort of error recovery in place for response codes other than 
NOERROR, so this might be simply a matter of setting the appropriate 
prerequisites and giving good feedback to the user if something goes 
wrong (so that they can spot their typo and correct it).

For more information about prerequisites, see RFC 2136 or the nsupdate 
man page.

- Kevin

More information about the bind-users mailing list