dnssec updated zone data is not live ??

Thu Dec 17 19:50:15 UTC 2009

Gregory Machin wrote:
> On Fri, Dec 11, 2009 at 12:22 AM, Kevin Darcy <kcd at chrysler.com> wrote:
>   
>> Gregory Machin wrote:
>>     
>>> Hi
>>> Please can you advise. I's been ages since I have configured dnssec .
>>> I used nsupdate (with dnssec) to update a zone file with all the host
>>> current ip's so that they are reachable via a host name even when the
>>> ip has changed (a dyndns.org type of thing).  Everything seems to work
>>> fine named accepts the update and writes it to the .jnl file but when
>>> it try and ping the updated host name  I get "ping: unknown host
>>> greg.za.protetor.net", and this is one the server running named. yet I
>>> the logs show
>>>
>>> Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
>>> external: updating zone 'device.example.net/IN': deleting rrset at
>>> 'greg.device.example.net' A
>>> Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view
>>> external: updating zone 'device.example.net/IN': adding an RR at
>>> 'greg.device.example.net' A
>>>
>>> Which is correct from what I remember the last time I did this.
>>>
>>> my zone configuration:
>>> /etc/named.conf
>>> zone "device.example.net" {
>>>        type master;
>>>        file "/var/named/device.example.net.db";
>>>        allow-transfer { any; };
>>>        allow-update { key device.example.net; };
>>> };
>>>
>>>
>>> zone file:
>>>
>>> $ORIGIN .
>>> $TTL 3600       ; 1 hour
>>> device.example.net         IN SOA  ns1.example.net. ns2.example.net. (
>>>                                2009120805 ; serial
>>>                                900        ; refresh (15 minutes)
>>>                                600        ; retry (10 minutes)
>>>                                86400      ; expire (1 day)
>>>                                3600       ; minimum (1 hour)
>>>                                )
>>>                        NS      ns1.example.net.
>>>                        NS      ns2.example.net.
>>>                        A       205.234.215.112
>>>                        MX      0 server.example.net.
>>> $ORIGIN device.example.net.
>>> $TTL 60 ; 1 minute
>>> greg                    A       97.xxx.xxx.127
>>>
>>>
>>>
>>> Running:
>>> BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5
>>>
>>>
>>>
>>>       
>> First of all, are you talking about DNSSEC, or just plain Dynamic Update
>> (presumably crypto-authenticated if this is going to be a
>> publically-updateable zone)? I don't see any DNSSEC records in the zone file
>> you posted.
>>
>> Secondly, if you do an AXFR of the zone after the Dynamic Update, does it
>> reflect the change?
>>
>> Thirdly, on the machine which is originating the ping, how is it set up to
>> resolve names? Does it only use DNS? Does it only use *itself* for resolving
>> DNS? Is there some intermediate caching going on (e.g. nscd or equivalent)?
>> If so, have you waited long enough for the entries to expire from that
>> intermediate cache?
>>
>> - Kevin
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>     
>
> Hi kevin
> Just plain Dynamic Update with "crypto-authenticated" keys
>
> if I do a dig on
> root at server [~]# dig @ns1.example.net device.example.net A +tcp
>
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> @ns1.example.net
> device.example.net A +tcp
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44660
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;device.example.net.		IN	A
>
> ;; ANSWER SECTION:
> device.example.net.	3600	IN	A	205.xxx.xxx.112
>
> ;; AUTHORITY SECTION:
> device.example.net.	3600	IN	NS	ns1.example.net.
> device.example.net.	3600	IN	NS	ns2.example.net.
>
> ;; Query time: 1 msec
> ;; SERVER: 205.234.215.113#53(205.234.215.113)
> ;; WHEN: Fri Dec 11 03:30:08 2009
> ;; MSG SIZE  rcvd: 85
>
> There should be an A record for a host greg.device.example.net. IN A
> 97.xxx.xxx.127
> Yet if I cat the zone file there is a record
>
> greg			A	97.xxx.xxx.127
>
> I'm doing the ping on the dns server that is hosting the
> device.example.net zone ..
>
>   
Cat'ing the zone file is no longer reliable once you've enabled a zone 
for Dynamic Update. There might be updates in the log file which haven't 
been committed to the actual zone file yet. That's why I recommended 
that you use an AXFR of the zone to check for changes recently made.

                                                                         
                                                      - Kevin