Logging and errormessages
Kevin Darcy
kcd at daimlerchrysler.com
Sat Sep 4 01:53:09 UTC 2004
Tom Schmitt wrote:
>Hi,
>
>I use Bind 9.3 and the Admins are allowed to update the DNS-RR with
>nsupdate. Now I have two wishes and maybe one of you can gave me a hint how
>to do it:
>
>First, I want to log who update what RR with nsupdate. The only idea I have
>is to write a wrapper around nsupdate which do the logging. Or is there a
>way to let nsupdate write a logfile on his own?
>The Logfile of the Bind-server is not useable, because there are also the
>updates from other DNS-server in it and when I grep the right updates, I
>have Problems with the rotating of the Logfiles not to miss any records.
>Also, I miss who (which user) made the update.
>
Yes, write a wrapper around nsupdate. In fact, our environment is kind
of like that, but perhaps more accurately described as a website that
uses nsupdate as a backend to make the actual DNS updates (one of these
days, I plan to rewrite the system to use the Net::DNS Perl module's
innate Dynamic Update capabilities instead of wrapping nsupdate). In
this way, we can implement extensive logging and access-control
functionality.
>The second Problem is: Is there a way to get a response from the
>Bind-Server, if an update go wrong? For example:
>The Admin want to delete the myname.mydomain.com, but accidently he typed
>mygame.mydomain.com
>Of course, the bind cannot guess, what the user have meant, but is there a
>possibility to get an errormessage, if the Record mygame.mydomain.com
>doesn't exist?
>
That's what prerequisites are for. Set an nxrrset prerequisite in your
"add" Dynamic Updates. If the name/type combination already exists in
the database, then you'll get an YXRRSET response instead of the
expected NOERROR response. If you expect the name to not exist with
records of *any* type, then set an nxdomain prerequisite instead, and
you'll get a YXDOMAIN response if the name exists. You should already
have some sort of error recovery in place for response codes other than
NOERROR, so this might be simply a matter of setting the appropriate
prerequisites and giving good feedback to the user if something goes
wrong (so that they can spot their typo and correct it).
For more information about prerequisites, see RFC 2136 or the nsupdate
man page.
- Kevin
More information about the bind-users
mailing list