DDNS and Hidden Master == Brain-Damaged
Paul Vixie
vixie at sa.vix.com
Wed Jan 26 18:02:28 UTC 2005
John Hascall <john at iastate.edu> writes:
> Can somebody explain to me why on earth the DDNS code,
> after looking up the SOA for the zone to be updated,
> insists on checking the NS records for the zone to see
> if the SOA.MNAME is listed there?
because that's what RFC 2136 says to do.
> Comment taken from lib/bind/resolv/res_findzonecut.c :
> * ultimately we want some server addresses, which are ideally the ones
> * pertaining to the SOA.MNAME, but only if there is a matching NS RR.
> * so the second phase (after we find an SOA) is to go looking for the
> * NS RRset for that SOA's zone.
RFC 2136 says:
4.3. If the requestor has reasonable cause to believe that all of a
zone's servers will be equally reachable, then it should arrange to
try the primary master server (as given by the SOA MNAME field if
matched by some NS NSDNAME) first to avoid unnecessary forwarding
inside the slave servers. (Note that the primary master will in some
cases not be reachable by all requestors, due to firewalls or network
partitioning.)
> John
> PS, allow-update-forwarding is not the answer.
res_findzonecut() is only called if your nsupdate doesn't specify a server.
therefore if you have specific knowledge of what server ought to be receiving
the update, you should share that knowledge and avoid res_findzonecut() all
together.
--
Paul Vixie
More information about the bind-users
mailing list